From 1640476b4ccb6b648748b558deae9674c6890075 Mon Sep 17 00:00:00 2001 From: Martin Schläffer Date: Thu, 24 Mar 2022 17:05:34 +0000 Subject: [PATCH] latest ascon release --- ascon/.clang-format | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/CMakeLists.txt | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/LWC_AEAD_KAT_128_128.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/round.h | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/round.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/round.h | 325 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/ascon.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/constants.h | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/encrypt.c | 218 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128abi32v12/ref/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/permutations.h | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/round.h | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128abi32v12/ref/word.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/round.h | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/round.h | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/round.h | 347 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/round.h | 347 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.S | 545 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/implementors | 1 + ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.S | 544 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/implementors | 1 + ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.S | 457 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/implementors | 1 + ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.S | 474 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/implementors | 1 + ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.S | 488 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/implementors | 1 + ascon/Implementations/crypto_aead/ascon128av12/avx512/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/avx512/ascon.h | 18 ++++++++++++------ ascon/Implementations/crypto_aead/ascon128av12/avx512/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/avx512/encrypt.c | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/avx512/round.h | 20 +++++--------------- ascon/Implementations/crypto_aead/ascon128av12/avx512/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/bi32/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128av12/bi32/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32/encrypt.c | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------------------------------------------------------------ ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.h | 64 +++++++++++++++++++++++++++++++++++++++++----------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/bi32/round.h | 70 ++++++++++++++++++++++++++++++++-------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/round.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/round.h | 325 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/encrypt.c | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------------------------------------------------------------ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.h | 64 +++++++++++++++++++++++++++++++++++++++++----------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/ascon.h | 18 ++++++++++++++---- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/config.h | 12 +++++++++++- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/encrypt.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.c | 47 ++++++++++------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.h | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/update.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi8/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/bi8/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128av12/bi8/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.c | 8 ++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi8/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.c | 17 +++++++---------- ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.h | 29 ++++++++++++++++++++++++++++- ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.c | 19 +++++++++++-------- ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/bi8/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/bi8/word.h | 94 +++++++++++++++++++++++++++++++++++++++++----------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/esp32/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128av12/esp32/core.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/esp32/core.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/esp32/decrypt.c | 38 ++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/esp32/encrypt.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/esp32/endian.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/esp32/implementors | 3 +++ ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.h | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/neon/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/neon/ascon.h | 12 ++++++++++-- ascon/Implementations/crypto_aead/ascon128av12/neon/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/neon/encrypt.c | 355 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/neon/permutations.h | 35 +---------------------------------- ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/neon/round.h | 100 ++++++++++++++++++++++++++++++++++++++++++---------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/neon/word.h | 63 ++++++++++++++++++++++++++------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt32/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/opt32/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt64/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/opt64/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128av12/opt64/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt64/encrypt.c | 280 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/opt64/round.h | 70 ++++++++++++++++++++++++++++++++-------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt64/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/ascon.h | 18 ++++++++++++++---- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/config.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/encrypt.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------ ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/update.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt8/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/opt8/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128av12/opt8/config.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/opt8/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt8/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/opt8/round.h | 81 ++++++++++++++++++++++++++++++++++++++++++++++----------------------------------- ascon/Implementations/crypto_aead/ascon128av12/opt8/word.h | 72 ++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/ref/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128av12/ref/ascon.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/ref/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/ref/encrypt.c | 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/ref/permutations.h | 66 +----------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128av12/ref/round.h | 38 +++++++++++++++++++------------------- ascon/Implementations/crypto_aead/ascon128av12/ref/word.h | 6 ++---- ascon/Implementations/crypto_aead/ascon128bi32v12/LWC_AEAD_KAT_128_128.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/round.h | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/round.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/round.h | 325 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/ascon.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/constants.h | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/encrypt.c | 180 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128bi32v12/ref/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/permutations.h | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/round.h | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128bi32v12/ref/word.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/round.h | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/round.h | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/round.h | 347 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/round.h | 347 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.S | 530 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/implementors | 1 + ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.S | 508 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/implementors | 1 + ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.S | 437 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/implementors | 1 + ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.S | 454 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/implementors | 1 + ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.S | 468 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/implementors | 1 + ascon/Implementations/crypto_aead/ascon128v12/avx512/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/avx512/ascon.h | 18 ++++++++++++------ ascon/Implementations/crypto_aead/ascon128v12/avx512/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/avx512/encrypt.c | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/avx512/round.h | 20 +++++--------------- ascon/Implementations/crypto_aead/ascon128v12/avx512/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/bi32/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128v12/bi32/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32/encrypt.c | 293 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.h | 64 +++++++++++++++++++++++++++++++++++++++++----------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/bi32/round.h | 70 ++++++++++++++++++++++++++++++++-------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/round.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/round.h | 325 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/encrypt.c | 293 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.h | 64 +++++++++++++++++++++++++++++++++++++++++----------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/ascon.h | 18 ++++++++++++++---- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/config.h | 12 +++++++++++- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/encrypt.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.c | 47 ++++++++++------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.h | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/update.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------- ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi8/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/bi8/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128v12/bi8/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.c | 8 ++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi8/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.c | 17 +++++++---------- ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.h | 29 ++++++++++++++++++++++++++++- ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.c | 19 +++++++++++-------- ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/bi8/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/bi8/word.h | 94 +++++++++++++++++++++++++++++++++++++++++----------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/esp32/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/esp32/core.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/esp32/core.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/esp32/decrypt.c | 38 ++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/esp32/encrypt.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/esp32/endian.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/esp32/implementors | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.h | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/neon/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/neon/ascon.h | 12 ++++++++++-- ascon/Implementations/crypto_aead/ascon128v12/neon/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/neon/encrypt.c | 340 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/neon/permutations.h | 35 +---------------------------------- ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/neon/round.h | 100 ++++++++++++++++++++++++++++++++++++++++++---------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/neon/word.h | 63 ++++++++++++++++++++++++++------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt32/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/opt32/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt64/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/opt64/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128v12/opt64/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt64/encrypt.c | 262 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/opt64/round.h | 70 ++++++++++++++++++++++++++++++++-------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt64/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/ascon.h | 18 ++++++++++++++---- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/config.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/encrypt.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------ ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/update.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------- ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt8/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/opt8/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon128v12/opt8/config.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/opt8/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt8/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/opt8/round.h | 81 ++++++++++++++++++++++++++++++++++++++++++++++----------------------------------- ascon/Implementations/crypto_aead/ascon128v12/opt8/word.h | 72 ++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/api.h | 31 +++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/ascon.h | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/asm.h | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/config.h | 37 +++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.c | 5 +++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.h | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/encrypt.c | 195 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_emsca | 0 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_1st | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_2nd | 1 + ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.c | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.h | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.c | 20 ++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.h | 18 ++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/round.h | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.h | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/word.h | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/api.h | 31 +++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/ascon.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/asm.h | 38 ++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/config.h | 21 +++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.c | 5 +++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.h | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/encrypt.c | 228 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_emsca | 0 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_1st | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_2nd | 1 + ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.c | 6 ++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.h | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.c | 20 ++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.h | 18 ++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/round.h | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.h | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/word.h | 236 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/ref/api.h | 2 +- ascon/Implementations/crypto_aead/ascon128v12/ref/ascon.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/ref/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/ref/encrypt.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon128v12/ref/permutations.h | 66 +----------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon128v12/ref/round.h | 38 +++++++++++++++++++------------------- ascon/Implementations/crypto_aead/ascon128v12/ref/word.h | 6 ++---- ascon/Implementations/crypto_aead/ascon80pqv12/armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/round.h | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/round.h | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/round.h | 347 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/round.h | 347 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/round.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.S | 522 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/decrypt.c | 17 +++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/encrypt.c | 12 ++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/implementors | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/bi32/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon80pqv12/bi32/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.h | 64 +++++++++++++++++++++++++++++++++++++++++----------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/bi32/round.h | 70 ++++++++++++++++++++++++++++++++-------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/round.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/round.h | 325 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/architectures | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/config.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.h | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.c | 40 ++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/round.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/word.h | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.c | 15 +++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.h | 64 +++++++++++++++++++++++++++++++++++++++++----------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/ascon.h | 18 ++++++++++++++---- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/config.h | 12 +++++++++++- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.c | 9 +++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.h | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/encrypt.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.c | 47 ++++++++++------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.h | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.c | 17 +++++++++++------ ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.h | 115 +++++++++++++++++++++++++++---------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/update.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/word.h | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/config.h | 10 ++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.c | 8 ++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi8/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.c | 17 +++++++---------- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.h | 29 ++++++++++++++++++++++++++++- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.c | 19 +++++++++++-------- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.c | 37 ++++++++++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/bi8/word.h | 85 +++++++++++++++++++++++++++++++++---------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/esp32/api.h | 6 ++++++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/decrypt.c | 38 ++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/encrypt.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/endian.h | 29 +++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/implementors | 3 +++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.h | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/ascon.h | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/opt32/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/api.h | 7 +++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/ascon.h | 36 ++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/config.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/encrypt.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/endian.h | 39 +++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/forceinline.h | 19 +++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constbranch | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constindex | 1 + ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/implementors | 2 ++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.c | 28 ++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.c | 32 ++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.h | 24 ++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/round.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/update.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/word.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt64/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/opt64/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon80pqv12/opt64/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt64/encrypt.c | 265 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/opt64/round.h | 70 ++++++++++++++++++++++++++++++++-------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/ascon.h | 18 ++++++++++++++---- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/config.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/crypto_aead.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/encrypt.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------ ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/round.h | 74 ++++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/update.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/word.h | 52 ++++++++++++++++++++++++++-------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/ascon.h | 24 +++++++++++++++++++----- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/config.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt8/encrypt.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.c | 13 +++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.h | 114 +++++++++++++++++++++++++++--------------------------------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/round.h | 81 ++++++++++++++++++++++++++++++++++++++++++++++----------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/opt8/word.h | 72 ++++++++++++++++++++++++++++++++---------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/ref/api.h | 2 +- ascon/Implementations/crypto_aead/ascon80pqv12/ref/ascon.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/ref/constants.h | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/ref/encrypt.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/ref/permutations.h | 66 +----------------------------------------------------------------- ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.c | 29 ++++++++++++++++++++--------- ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.h | 4 ++-- ascon/Implementations/crypto_aead/ascon80pqv12/ref/round.h | 38 +++++++++++++++++++------------------- ascon/Implementations/crypto_aead/ascon80pqv12/ref/word.h | 6 ++---- ascon/LICENSE | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/README.md | 407 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/genkat.cmake | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1518 files changed, 92200 insertions(+), 6262 deletions(-) create mode 100644 ascon/.clang-format create mode 100644 ascon/CMakeLists.txt create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/LWC_AEAD_KAT_128_128.txt create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128abi32v12/ref/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/avx512/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/avx512/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/bi8/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/core.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/core.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/neon/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt64/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt8/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/opt8/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/ref/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/LWC_AEAD_KAT_128_128.txt create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128bi32v12/ref/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/avx512/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/avx512/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/bi8/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/core.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/core.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/neon/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt64/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt8/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/opt8/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/asm.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_emsca create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_1st create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_2nd create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/asm.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_emsca create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_1st create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_2nd create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/ref/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.S create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/architectures create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/bi8/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/decrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/config.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/endian.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/forceinline.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constbranch create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constindex create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/implementors create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/round.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/update.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/word.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt64/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/crypto_aead.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt8/constants.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/opt8/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/ref/constants.h create mode 100644 ascon/LICENSE create mode 100644 ascon/README.md create mode 100644 ascon/genkat.cmake diff --git a/ascon/.clang-format b/ascon/.clang-format new file mode 100644 index 0000000..f2dd0de --- /dev/null +++ b/ascon/.clang-format @@ -0,0 +1,168 @@ +--- +Language: Cpp +# BasedOnStyle: Google +AccessModifierOffset: -1 +AlignAfterOpenBracket: Align +AlignConsecutiveMacros: false +AlignConsecutiveAssignments: false +AlignConsecutiveDeclarations: false +AlignEscapedNewlines: Left +AlignOperands: true +AlignTrailingComments: true +AllowAllArgumentsOnNextLine: true +AllowAllConstructorInitializersOnNextLine: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortBlocksOnASingleLine: Never +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortLambdasOnASingleLine: All +AllowShortIfStatementsOnASingleLine: WithoutElse +AllowShortLoopsOnASingleLine: true +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: true +AlwaysBreakTemplateDeclarations: Yes +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterCaseLabel: false + AfterClass: false + AfterControlStatement: false + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterObjCDeclaration: false + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + BeforeCatch: false + BeforeElse: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Attach +BreakBeforeInheritanceComma: false +BreakInheritanceList: BeforeColon +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +BreakConstructorInitializers: BeforeColon +BreakAfterJavaFieldAnnotations: false +BreakStringLiterals: true +ColumnLimit: 80 +CommentPragmas: '^ IWYU pragma:' +CompactNamespaces: false +ConstructorInitializerAllOnOneLineOrOnePerLine: true +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DeriveLineEnding: true +DerivePointerAlignment: true +DisableFormat: false +ExperimentalAutoDetectBinPacking: false +FixNamespaceComments: true +ForEachMacros: + - foreach + - Q_FOREACH + - BOOST_FOREACH +IncludeBlocks: Regroup +IncludeCategories: + - Regex: '^' + Priority: 2 + SortPriority: 0 + - Regex: '^<.*\.h>' + Priority: 1 + SortPriority: 0 + - Regex: '^<.*' + Priority: 2 + SortPriority: 0 + - Regex: '.*' + Priority: 3 + SortPriority: 0 +IncludeIsMainRegex: '([-_](test|unittest))?$' +IncludeIsMainSourceRegex: '' +IndentCaseLabels: true +IndentGotoLabels: true +IndentPPDirectives: None +IndentWidth: 2 +IndentWrappedFunctionNames: false +JavaScriptQuotes: Leave +JavaScriptWrapImports: true +KeepEmptyLinesAtTheStartOfBlocks: false +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 1 +NamespaceIndentation: None +ObjCBinPackProtocolList: Never +ObjCBlockIndentWidth: 2 +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PenaltyBreakAssignment: 2 +PenaltyBreakBeforeFirstCallParameter: 1 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyBreakTemplateDeclaration: 10 +PenaltyExcessCharacter: 1000000 +PenaltyReturnTypeOnItsOwnLine: 200 +PointerAlignment: Left +RawStringFormats: + - Language: Cpp + Delimiters: + - cc + - CC + - cpp + - Cpp + - CPP + - 'c++' + - 'C++' + CanonicalDelimiter: '' + BasedOnStyle: google + - Language: TextProto + Delimiters: + - pb + - PB + - proto + - PROTO + EnclosingFunctions: + - EqualsProto + - EquivToProto + - PARSE_PARTIAL_TEXT_PROTO + - PARSE_TEST_PROTO + - PARSE_TEXT_PROTO + - ParseTextOrDie + - ParseTextProtoOrDie + CanonicalDelimiter: '' + BasedOnStyle: google +ReflowComments: true +SortIncludes: true +SortUsingDeclarations: true +SpaceAfterCStyleCast: false +SpaceAfterLogicalNot: false +SpaceAfterTemplateKeyword: true +SpaceBeforeAssignmentOperators: true +SpaceBeforeCpp11BracedList: false +SpaceBeforeCtorInitializerColon: true +SpaceBeforeInheritanceColon: true +SpaceBeforeParens: ControlStatements +SpaceBeforeRangeBasedForLoopColon: true +SpaceInEmptyBlock: false +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 2 +SpacesInAngles: false +SpacesInConditionalStatement: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +SpaceBeforeSquareBrackets: false +Standard: Auto +StatementMacros: + - Q_UNUSED + - QT_REQUIRE_VERSION +TabWidth: 8 +UseCRLF: false +UseTab: Never +... + diff --git a/ascon/CMakeLists.txt b/ascon/CMakeLists.txt new file mode 100644 index 0000000..ec3ce37 --- /dev/null +++ b/ascon/CMakeLists.txt @@ -0,0 +1,115 @@ +cmake_minimum_required(VERSION 3.9) +project(ascon LANGUAGES C ASM) +enable_testing() + +# set the default version, algorithms, implementations, tests, flags, defs +set(DEFAULT_VERSIONS v12) +set(DEFAULT_ALGS ascon128 ascon128a ascon80pq asconhash asconhasha + asconxof asconxofa asconprf asconmac asconprfs ascon ascona) + +# default to all C implementations: +set(DEFAULT_IMPLS ref opt64 opt64_lowsize opt32 opt32_lowsize bi32 bi32_lowsize bi32_lowreg esp32 opt8 bi8) + +# tests: genkat, getcycles +set(DEFAULT_TESTS genkat) +set(DEFAULT_COMPILE_DEFS) +set(DEFAULT_EMULATOR) + +if(MSVC) + set(DEFAULT_REL_FLAGS /O2) + set(DEFAULT_DBG_FLAGS /Od) +else() + set(DEFAULT_REL_FLAGS -std=c99 -O2 -fomit-frame-pointer -march=native -mtune=native) + set(DEFAULT_DBG_FLAGS -std=c99 -O2 -Wall -Wextra -Wshadow) +endif() + +# set cmake variables for version, algorithms, implementations, tests, flags, defs +set(VERSION_LIST ${DEFAULT_VERSIONS} CACHE STRING "Choose the ascon versions to include.") +set(ALG_LIST ${DEFAULT_ALGS} CACHE STRING "Choose the list of algorithms to include.") +set(IMPL_LIST ${DEFAULT_IMPLS} CACHE STRING "Choose the list of implementations to include.") +set(TEST_LIST ${DEFAULT_TESTS} CACHE STRING "Choose the list of tests to include.") +set(REL_FLAGS ${DEFAULT_REL_FLAGS} CACHE STRING "Define custom Release (performance) flags.") +set(DBG_FLAGS ${DEFAULT_DBG_FLAGS} CACHE STRING "Define custom Debug (NIST) flags.") +set(COMPILE_DEFS ${DEFAULT_COMPILE_DEFS} CACHE STRING "Define custom compile definitions.") +set(EMULATOR ${DEFAULT_EMULATOR} CACHE STRING "Define custom emulator command.") + +if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0" AND NOT WIN32 AND NOT CYGWIN AND NOT MSYS) + # use sanitizer in Debug build (not on windows and only of target_link_option is available) + set(DBG_FLAGS ${DBG_FLAGS} -fsanitize=address,undefined) +endif() + +# set the default build type for single-config generators if none was specified +if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES) + message(STATUS "Setting build type to 'Release' as none was specified.") + set(CMAKE_BUILD_TYPE Release CACHE STRING + "Choose the type of build, options are: None Debug Release RelWithDebInfo MinSizeRel." FORCE) +endif() + +# add platform specific implementations +message(STATUS "cmake host system name: ${CMAKE_HOST_SYSTEM_NAME}") +message(STATUS "cmake host system processor: ${CMAKE_HOST_SYSTEM_PROCESSOR}") + +set(KAT_PATH KAT) +set(TEST_PATH tests) +foreach(CRYPTO aead hash auth) + foreach(VER ${VERSION_LIST}) + foreach(ALG ${ALG_LIST}) + foreach(IMPL ${IMPL_LIST}) + set(IMPL_PATH crypto_${CRYPTO}/${ALG}${VER}/${IMPL}) + if((NOT ${CRYPTO} STREQUAL auth) AND + NOT EXISTS ${CMAKE_SOURCE_DIR}/${IMPL_PATH}) + set(IMPL_PATH crypto_aead_hash/${ALG}${VER}/${IMPL}) + endif() + if(NOT EXISTS ${CMAKE_SOURCE_DIR}/${IMPL_PATH}) + continue() + endif() + message("Adding implementation ${IMPL_PATH}") + set(IMPL_NAME crypto_${CRYPTO}_${ALG}${VER}_${IMPL}) + file(GLOB IMPL_FILES RELATIVE ${CMAKE_SOURCE_DIR} "${IMPL_PATH}/*.[ch]") + if(${IMPL} MATCHES protected.*) + set(IMPL_FILES ${IMPL_FILES} ${TEST_PATH}/randombytes.h) + endif() + add_library(${IMPL_NAME} ${IMPL_FILES}) + target_include_directories(${IMPL_NAME} PUBLIC ${IMPL_PATH} ${TEST_PATH}) + target_compile_definitions(${IMPL_NAME} PRIVATE ${COMPILE_DEFS}) + #target_compile_features(${IMPL_NAME} PUBLIC c_std_99) # cmake >= 3.8.2 + target_compile_options(${IMPL_NAME} PUBLIC $<$:${REL_FLAGS}>) + target_compile_options(${IMPL_NAME} PUBLIC $<$:${DBG_FLAGS}>) + foreach(TEST_NAME ${TEST_LIST}) + if(${TEST_NAME} STREQUAL genkat) + set(TEST_FILES ${TEST_PATH}/crypto_${CRYPTO}.h ${TEST_PATH}/genkat_${CRYPTO}.c) + else() + set(TEST_FILES ${TEST_PATH}/crypto_${CRYPTO}.h ${TEST_PATH}/getcycles.c) + endif() + string(TOUPPER CRYPTO_${CRYPTO} DEFINE_CRYPTO) + if(${IMPL} MATCHES protected.*) + set(DEFINE_CRYPTO ${DEFINE_CRYPTO}_SHARED) + endif() + if(${ALG} STREQUAL asconprfs) + set(DEFINE_MAXMSGLEN "MAX_DATA_LENGTH=16") + else() + set(DEFINE_MAXMSGLEN "MAX_DATA_LENGTH=1024") + endif() + set(EXE_NAME ${TEST_NAME}_${IMPL_NAME}) + add_executable(${EXE_NAME} ${TEST_FILES}) + target_compile_definitions(${EXE_NAME} PRIVATE ${DEFINE_CRYPTO} ${DEFINE_MAXMSGLEN}) + if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.13.0") + target_link_options(${EXE_NAME} PRIVATE $<$:${DBG_FLAGS}>) + endif() + target_link_libraries(${EXE_NAME} PRIVATE ${IMPL_NAME}) + string(REPLACE ";" " " EMULATOR_STRING "${EMULATOR}") + if(${TEST_NAME} STREQUAL genkat) + add_test(NAME ${EXE_NAME} COMMAND ${CMAKE_COMMAND} + -DEXE_NAME=${EXE_NAME} -DALG=${ALG}${VER} -DCRYPTO=${CRYPTO} + -DSRC_DIR=${CMAKE_SOURCE_DIR} -DBIN_DIR=${CMAKE_BINARY_DIR} + -DEMULATOR=${EMULATOR_STRING} -DCONFIG=$ + -P ${CMAKE_SOURCE_DIR}/genkat.cmake) + else() + add_test(${EXE_NAME} ${EXE_NAME}) + endif() + endforeach() + endforeach() + endforeach() + endforeach() +endforeach() + diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/LWC_AEAD_KAT_128_128.txt b/ascon/Implementations/crypto_aead/ascon128abi32v12/LWC_AEAD_KAT_128_128.txt new file mode 100644 index 0000000..8d2a00c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/LWC_AEAD_KAT_128_128.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = +CT = B79F7746C3A7E0B82EA87F494DBC1626 + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00 +CT = 50CBA98DD24712D832B6A79440547D8E + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001 +CT = D620986635106D64097B305B74860CA3 + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102 +CT = 3098345CFEAA82617B1CE4EE3A40E446 + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203 +CT = 3CC8319189C08C19035D18FC169C6CA7 + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304 +CT = E46FFD68F517B985AAC7B5C802BB00A0 + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405 +CT = C20084C48BFC35797BDD5276D93F5A8B + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506 +CT = 9EFA12C3882B104FF00A38257C375BD4 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304050607 +CT = 48C82643811008A67AC2027945DAC433 + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708 +CT = 82BD8F910E06044C5D04125592ED4BFF + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506070809 +CT = 5B0FB379396DEDB52BB9033B6181B2EF + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A +CT = 3F62689E89CA996A952C232DCEECE145 + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B +CT = 117918CACD98AF93720BA51AA845EE59 + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C +CT = E0F27E4CC9E6F431725CE6D83FAD7DEB + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D +CT = A23C2789FF1DFB8B0E97ADF0286B46DC + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E +CT = FED47B25FABBE032BE5D88417E426DCC + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = 69311921AF6E59B8517574426160B26F + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = D32BF0F745E43C47CBA2A56E5F811B99 + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = E5A22C444ABF657E78C17C5F4548AD70 + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 11962B1D22946AD2CD29704E526119E3 + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = AFBA115591F013CF3627E8C6E75B62C5 + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = A64362F05F6908E536736007BCF71ADF + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 23A4B615CB7D9CA15DDCE74D41A791C8 + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 10B45E238DA4B0E6F10006F2CA890E67 + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CC68C62AD76427344FCFB03DDB555F7 + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 114CBC20E67E5977EE8A0F4040977912 + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A09CCBFB76DEBA667D3D91E35E5EA725 + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2DD6029E02C82D1E9729A048DB03CBD3 + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FF8F27B7F8829E227A140D653EDFE4A2 + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 33606005FF9190F6C89498A79E640711 + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 0AD160161F79F3CAF4351A08A6D8B122 + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 616A63185D42022E92CD13E61E273CF4 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C63A6344489A9C7A28D1A016EC1EB773 + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = +CT = 3A90A540D9730526B3542A24B9BDB90850 + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00 +CT = 7BFF886BCE81D8D84142315544FB9C5468 + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001 +CT = E50492C80496F2078F3288F70CC33948F2 + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102 +CT = 070BFB9CA303DFFDE1C52934FFA11DC7D7 + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203 +CT = CCC3B40BD746784B36BEA0B729023317DC + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304 +CT = FD0DA73C4593E2F100BB5720207C237D43 + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405 +CT = A7DF88311C9E5CE767419B2FF47C9A6DB3 + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506 +CT = A2886FCBA9C2D708DEE4C5187BBB4653FB + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304050607 +CT = 1F5AC782F51B2F6C0394D961B2D3BE9E05 + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708 +CT = 80640C8943E19297FC7B1CDA428503F958 + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506070809 +CT = C84CF186CA5F7EC991F6D3DF8042F24DB3 + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A +CT = 7B5A5C0C9F96442F8F2F11EF7E88C32F63 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B +CT = BC4BBD88CC4E64ADAFB53E8960FFB94652 + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C +CT = 91B05E73D01DC5E0950813984936CDE867 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = 4607A3C0E91DD6DDEB442D10200F55EFE7 + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = 4D3B3BCC3C82D6A59289EFD7FD97CCE7BA + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DCFA92B3ABFC8D27CC16228D3F68A29D0 + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 773B62CA5F0734AA000D8416D398400874 + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C0D49EA7AD2B10241B047C1E42E18E7744 + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 53CFF8C0C31D507A0BFB2F27E2C4B20A9B + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3B2A2BC182F6F58F6C19C544F0C7B3AA3A + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7CB12456403490C86933C9B20C9E98339 + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A5E32E6A770F6A0640A5874798B2FF43CD + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1542CBB80C924FEA42D5B077A1D94B8FF9 + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4D84A85D372188BFFA1A97F09FC995C0F1 + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CADC9EE50B35746D7AF924CCB310200A10 + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8DE440A887690EFB31F0745576CC46318B + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29D1831F842373DE1591D5C319C1AE06D8 + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAAB1B8791A9207E86D75F767A0ADDD324 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8AC1243500FEAD37B2BD6354A72DE0CD51 + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = EDAE6000EAE3269C4FA8496DC4162AA7AB + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D54466237E4D2A3FA6C351DDD0322CD490 + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75C3D8B201F8D61B14325279A48683AB8B + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = +CT = 3A23F5159C4436DEAA4A6184535E1BAC967A + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00 +CT = 7B6F964778C01D03EA738B0227402A2DD3B0 + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001 +CT = E5D32CDA1C5DFDFCE7DADD6310ECE928F3BC + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102 +CT = 07E3F1523DAA0DE8EE4DABCDCD1B7FA759C6 + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203 +CT = CC515448F099704E4E9BA64F9B9EB8DD4A5D + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304 +CT = FD270F9E6DAB7F1BE2B30988F2BD4B984823 + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405 +CT = A756531D814668ECA6C0373B6BE61A5475AC + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506 +CT = A2A893D53108115A2304DA61EB14FC607722 + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304050607 +CT = 1FF86DACB6BC04F0F2FE8C4E7E0A3338A137 + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708 +CT = 807D03FEF0AB543A24CAC6412EA3904B1180 + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506070809 +CT = C85CBB5F5835E6EDBDE6CA3BADC09AEF7B98 + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A +CT = 7BB08F55A22798F1DBEA67D73303CF8FE48B + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B +CT = BC2F542B43545466ACA7BCA0B5AC8E23A23B + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C +CT = 91F90259D3F7B934B0DBAB10AD201776925C + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = 465FA787EA769CA1AC8529386D1732BAD006 + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7E8102953B5607521BDDBD8BD0DBA6537 + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD2F9BA71D238EC24D84FBB7BDA67212228 + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775CFE81CC725F899731E32B0D0BCBAB655 + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02AACD5C6DDD690FBB9AEEEA566C59E00A4 + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354D38616F58389F534B91AA0E15CDDC175 + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0789FA88380BE7E139C3A4B4CA6EFAC62 + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D78B231F5CFAF81B43059BEF21AA5CC78D + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A52849F467FC70E21FE84921423CED55D95D + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 150898771135243E903CF1455644A791B572 + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAACC972287598FD05C8FCDE9163FA0AE47 + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA5B4A0E1245250E2DE976D32DEDFC38C8F + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D07C97E6375EB222DA252FEB519D45F07C6 + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2912B5A7E542986EB2CEFA0508A0037FF0CF + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD229708681B363C5EC17FE94381CCD01AA + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A71DE55E34C2102629870BE8B46149507DF + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7DE1A21085A717FAAE5667E91B812F2629 + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578D09E09DEED1AAC53B0AD5AC75F867967 + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E577E7C94882146594BB50D43A41B8B936 + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = +CT = 3A2349C71272DAF518846AACB6BFDB2807278B + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00 +CT = 7B6F015C2773A39EE04907FF34FED41928A6A6 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001 +CT = E5D31F68B305250E4036C83598EEA7B2681C23 + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102 +CT = 07E311D216C285C5DD123F58F36140A4212968 + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203 +CT = CC513BD973CCEC661A2420978CBE0303BF03F4 + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304 +CT = FD27D548A1309D30C65F021617FBB937026EE8 + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405 +CT = A75645360A73C6C8555FF457957677EC689840 + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506 +CT = A2A8960FFFA2D28DAEB82D380D270CA6FD7746 + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304050607 +CT = 1FF84F6C3EF0B1C1D154FD256209B5621C6047 + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708 +CT = 807D5DC3346D8820E9CEEB1E54BC79F0F30152 + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506070809 +CT = C85CA4F7E117FFF4B2D63ACA6BF49D79B4A347 + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A +CT = 7BB05DD6887F9867C2EA063F9047C31EFC08A3 + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B +CT = BC2F7891DFC784A3627A48515E9CF6EDBD0BCA + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C +CT = 91F9F5A8020615BA8F3D3A593D6E67C4B18824 + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = 465F38A2B2BE3DB3C87A239A1872BE05777AE1 + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C2D50FC6B17BAE82D1BC81974DCAEAA7A7 + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A2F4AB96EAE645EAE0206E27D8A67E391 + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A08C82B38BFA4FD17136EB8967900FDB2E + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B49B202D9564E23C62A491F80CB86D647 + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF655BAA42A1548EDFC27360229707A60A + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC087B0E850F65D91D5F96092845C13826F7C + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA4A20DCDD3C5190517B278F09CAACA5BA + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33F0F5292E1CA508110DAB355931D7314 + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEAA902DDDFB08A2F090478DD5CF215016 + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD29D8C5E6D50D10C0AED27EEA597C22DBE + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588A8FFA3758D757FC5B3E1BB6B5B1C1A80 + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070DCDDCC23D3D417CF6FF396457B5254CB4 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 291265D3E640EE12167AF1F9E3888DE649159A + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EA4FD3643E59516CB1E56CBA9C8904EE76 + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A7103826C0B91DDC0CAE3E38D31C84F4ABE76 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2BB9CDBD1FC14E85E9248AD2E64E496273 + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578743AB6D7287161EAAE01482596E6D02CD5 + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58BD87690A5AE69A9A1DE7A57FA8A65FDD2 + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = +CT = 3A2349E4B407A96787748B7DF9B3E1B8D448C76B + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00 +CT = 7B6F012DC5343132811111187ED3758190E100B0 + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001 +CT = E5D31FC821D24736C5C35E7A4175F94245B1CC8D + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102 +CT = 07E31194AB51D894AB7C99ABF325674DF3093941 + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203 +CT = CC513B8237101FE41B3FFAE260D11F6B9BC6A129 + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304 +CT = FD27D5B53513EC40CC6C2E36F6ED7444B6783F29 + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405 +CT = A7564530BE5A26270DC9A360B862F3C60AD1BDEF + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506 +CT = A2A89655B8D3A35315C6408E0D6794AE4CF61782 + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304050607 +CT = 1FF84F1592B43DD84A233126947C0B7250B6BBF4 + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708 +CT = 807D5D99C1B5A8CCE235E76B4583FDD8AFEE3E4C + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506070809 +CT = C85CA4161C467D84AE8D161C723EF7433E5ECD24 + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A +CT = 7BB05D48EC6D8EEBB11FF9116C68290F3BA1D69B + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B +CT = BC2F7866F1E6B8DBF5F5B73D58223BB45276FCA5 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1245559380C105E62C32D81A1CC38DA4E + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = 465F38DD4F1F8E688B6065423069552AA3F808B3 + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C27092F8BFE6059C53F5E04446F91A142693 + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06287CA63DAAFC49B96171514D5CDC8CE1 + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D319511AD0D11705F0F83E23B925B9F427 + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B880E44573ED9FB4B994A87DE081EB0FFCC + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF5350441F9EAA073BF55458B38E89156A1D + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC91A67D0DF1A2734E197BB4A050B75FD + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F4278E01A91901683FCC5DED9B9EBA62C + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33BA2224EEC00B295E1D3B3DF3322CD2A01 + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4CCC2E989661BAD9E602BAAFEE913F7D1 + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD22242D7A51400FCA60EF883CFB850877EAC + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0440476D9369AB8F79B32D4637522FF27 + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D854DA41735D2C6CC4FC9C1766D5D9BA6F1 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 291265656A3A96EF4B0CD92AF11DB2E46B6485D2 + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE5400FD98272442D222A61C02912574D6E + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305C3D496815B07BC781E79F9AC19E66893 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B1709326806700E7E2B5A01E40863AAE2 + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749B6D42DC7784F0078C45E92DDDD218ADCD + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B46F42C9F8350D22C79CABB63513AB04C56 + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = +CT = 3A2349E463DE64CADBF78C19C696FAD01BCA861C9E + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00 +CT = 7B6F012D698FC49FC914D4998B5EE4F0B76FF8F80F + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001 +CT = E5D31FC8CDFAB87C60D09EA32DB46F49B42D578BA0 + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102 +CT = 07E31194EF1BE906E15BF9A3C961738A6F50884815 + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203 +CT = CC513B823CBA69161816A82F960896266F7D873E34 + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304 +CT = FD27D5B5C1F9C3082DEF455E103D77905B94044A10 + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405 +CT = A7564530AF11D0225CEA2249EDB45938F3A060B448 + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506 +CT = A2A89655335CCD106F164D04A71BEDEE1390041815 + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304050607 +CT = 1FF84F1572761DAAAF7025D5D933918F57A4B11B98 + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708 +CT = 807D5D994444B0D2C981597084F212FFA127A8AF85 + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506070809 +CT = C85CA416C2BC62657500ADB159BC2D14CE8670F754 + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A +CT = 7BB05D4887E354DBBF1A4EA104116A63365DB6ADF3 + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B +CT = BC2F786689E0C339C71C63AAD5A54943C3587BCF2F + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD650822CA61991321B0F04BF56DFB9D4D + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA303D6748CA50295BD1C5E7FBBF80BEE25 + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F0CBAA1B3159035FBC6834F7CD405FC25D + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A066163405EE71BE6EFC23AE63C42CF6056ED + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32F5D4AEFC6D995211105A6CA40977E6ECD + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B88800016815C193598E3E8BF6335B34251F9 + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DD60AA3709BCB3001507A5BD82D41A96C + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC50BFD69D2243235D3061AD6D730503D7E + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F836EFE7FBD61EFCCE6E56425BA57771823 + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B753A9FA414814992211328EA216D329EB6 + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EEFCB6B3776824C7F467BAB2925CAC1D10 + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227B5C1DCD9E478AD9B16FA5849AE9278569 + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C080591EFE43100CA7F673DFB566728D792A + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594B5E49E3D0661C903D3B6563D1992AE13 + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DB888DF4A83180A784522C60A8E2F98BD8 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F777B09321791863129F054F24C9061F0 + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BA840B86DC55A7D0761ACDB6D2ECFA1FC1 + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BBC168FE541C6E0EEE56ACAF12147E628 + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC2BFB02A4FFFDB7DEB656DC295EDF85F38 + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B4697643BADBC7D9A87F77E955D4266517B4A + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = +CT = 3A2349E4635640E9F4194E88956035169123232D036A + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00 +CT = 7B6F012D69E515CFC03835B9E487DB7134E4B1F006AB + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001 +CT = E5D31FC8CDD26CB9641827AE2A007D5A385CEB6EEFD0 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102 +CT = 07E31194EF515E40C0DBDFBFBED99AB054EAC88D6728 + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203 +CT = CC513B823C27D5F3321F27FF5644757DD70DC13CAD6F + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304 +CT = FD27D5B5C12ACB1452186B919988403131C29829DBEC + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405 +CT = A7564530AF1D04264C1C1CB23CA81947D81F925F3A11 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506 +CT = A2A896553337596A76084D264BCD1D044B217F56AE3F + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304050607 +CT = 1FF84F1572937115681CBA6DF6A48735E645309FFBC9 + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708 +CT = 807D5D9944867EB2712A924B338A51FFF1F9566FE507 + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506070809 +CT = C85CA416C27D1232AE9FF7C7D2C6E3D18084239E0E3A + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A +CT = 7BB05D48871BF122AC3BC70872F8F0BF14B07501A557 + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B +CT = BC2F7866890E4B7615E04CC76E3B86B0DE36B30ED78E + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD50789EE2C92767827A37783A226381FC79 + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA39441E5055E314FC27A567D7C96951025AC + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068C60284EB2E3F6A46E20462FC358CB566 + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613FE2DECCA1BFB32E433F9F018F497B5E91 + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC891CBC55797F8FB6EB369005697B434D3 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0D84613733CE621C5214BF4205204D1B4 + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC79B772DDACF31C48E7F1A9B5F6363A228 + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC561867DAD2339C4D4233E2332FE829B3622 + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839F9E512D5A4E5443B48C26BACE06825715 + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4BF316CC0A1CE72C18AFBF344ACBDD55D + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED64EF2CF38B25F18AAC3ABE269A66ABE7E + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD969E12794934A475F3761D8A4A99CF409 + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B439455B71BADA97831F79BB31C2344C3 + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBB308A1B0FCB4F26BD29C7426EEB214CA + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE5D7B47A041F2E2A8BD99AA0283C03163 + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EFD5E17217B3973EE9683F29822A42495 + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADFEF915A64C3363FF02D6CC066C9CA10C4 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB07792458D9EC4F2B2C3C0373AC77EA02D + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21B88435CFBA9ABBFCC5E373A5F2FEBCEF7 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737E693AE1C46701FDB0BC1CC464070B05E + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = +CT = 3A2349E4635666F54C12FDCA529F04B96DD6C35D7AEB7B + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00 +CT = 7B6F012D69E592399F913BBB9ED2FA419A845BA348EB01 + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001 +CT = E5D31FC8CDD2BEE894BF5E818ABD1F40B5B55C136FB0E9 + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102 +CT = 07E31194EF51366512725041EEEE962AE0AFF75BEECFC3 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203 +CT = CC513B823C2721CF2F058C9A2ED0AA671A68701BB48104 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304 +CT = FD27D5B5C12A4E2219E38A54EB826585EE5FE3A54344A4 + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405 +CT = A7564530AF1D9CEEE07AFA54A49378CD662ADCABBD0639 + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506 +CT = A2A896553337170EADB66B0FBA1B8515215B0CCA957E61 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304050607 +CT = 1FF84F1572938653F0A870B956B35A0D3FED9317BE88DE + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708 +CT = 807D5D994486FFF3BBF033A894AB3E43CA5FCB4E9D813A + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506070809 +CT = C85CA416C27D763AD5F0F31973DC71BB105A85891C0A30 + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A +CT = 7BB05D48871BCD4E8ACE2ABDE41A3830FA1F2E89349A4D + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = BC2F7866890E9BB2DCE185ADBB3FAD2472584C36179A89 + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509724DA7C2D58210D7F262809E6E8335EE3 + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949DA3B06B3D6711EAB9A8E49D7F5EC18674 + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAE798EEE48E00E9B6FDC25F6B9787BEAE + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CAAA959C2393D20164751F886A4D60317 + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813E8047485F2668AEAA1DF5DF1142A628A + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1D98E4AF3B52B309D8162C9536807CD99 + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F148A2035465DD714C00E5C7373BCAC77 + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B12453642ACC1C15D45288A5249CBD4D0 + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB0BEA9A13EE3ECA49949D8B91F333387F + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3981036899A04F4B389D6D1C19B59A8E7 + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA43C36C94FE34723EFC9482033922C656 + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD931B0C879918E73845D1D988754A21429E5 + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B8399CD2034BBFF45F2A02DAFC039202B13 + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFF59C40EB754F109F626A26B97718B1E1 + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01E779EA02449F856BFB7153643A94775B + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB8D4948E5CB40DF1D4F486860EE906DC7 + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF742A7677451D53BA09554F3E93BF2C3D21 + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FFF535B402CD2EBBB85FFFB791E4312D7A + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA62E493A58970F47D4004FD48E646493B + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D72F238EA5A5C993760D7687381FD9F7D5 + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = +CT = 3A2349E46356665EEB544935895B983707B1B3F03C908F38 + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00 +CT = 7B6F012D69E59228DACC5536530A4F434D6FE8EF6BB3B8CE + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001 +CT = E5D31FC8CDD2BEA8AFB61FA0B1527902F4315E294808F080 + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102 +CT = 07E31194EF51368DA0E4C062E55539D064E7418FABA13B88 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203 +CT = CC513B823C2721DEF18B3F3AA9DABCD1FA90A01F35978FC2 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304 +CT = FD27D5B5C12A4E1F79E55723D82065C4AB376D1C7AFAE828 + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405 +CT = A7564530AF1D9C058D5136062610BAEAB8A52D265E42F4EA + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506 +CT = A2A89655333717948EF219E2BA173265E1288106B934BEA1 + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304050607 +CT = 1FF84F15729386B14371E67712C01F05E6838C79CDEE6167 + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708 +CT = 807D5D994486FF7837389EAA9F496BB896F83B772AF9CC3F + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506070809 +CT = C85CA416C27D76FE3D75420BF27ABD9F8E2FDA1C4E56F714 + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A +CT = 7BB05D48871BCD37A366FE31E15034549D2CEA0E2BA764DC + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A48E8CDA816F4B173151B7AE4473DB985 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD50977285D5F220C37FB81D22026E2F8301B064 + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2D87EDD6AEEEEFB5E4DDE1AA48559B10E2 + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAABF407DB59858181CE17DF47091C4A61B0 + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF44939CA35FCA8ECDA55D0D9C7DB4852E1 + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813792D8D5B4E65FFC5B74A1BA2CF995EB1CC + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C16481C8D653AF092BD48783C708B64B4980 + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F63BFBF13D9CC550736DA0C4B16B9BDA181 + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3DC046EBF0B8C7D2E52595E6E6DF4380CA + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2B44E5937282D4FF67472561DD9EBFEAC4 + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB35707E45F40D18958D385C99B862E86A + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6F27B21017E3E67CF53E6BC6D59BDF92EC + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD931903DE29A906D48E52AFB64BF3EA6064600 + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FE274055E42F021F9E626311CBA84612 + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC71FF3EEF9A20B65112173A26EDC4D8EE + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE0132F055484826812B8C47332E39FCB5F3D9 + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F3B01B72D0D84A92CB636A81B642BA19B + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BFD9F8FF2CBD336BA5BEB68A8599E5729 + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF697B2F138302F48FA771577D07FDA46EEC + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6D1877E45832E9845D96CAA065DCFB2764 + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CE07EBD6519BF5712A7A18E328EDC268AD + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = +CT = 3A2349E46356665E408A1E298BBC85AC69111B2D158225F399 + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00 +CT = 7B6F012D69E59228067AF6410A39032DD923158FFA672E810B + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001 +CT = E5D31FC8CDD2BEA8F420E0FC01805714D7BBBF7ABCDD8ABC8B + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102 +CT = 07E31194EF51368D52BFC62CEB672ED52DF2DBBF50C9AE2AC4 + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203 +CT = CC513B823C2721DEC162B4CA8295C6AA900E3F96B31064415E + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8E1CFBEBADBC4E07FC56E9B66C5BEFAEDF + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405 +CT = A7564530AF1D9C050C416926D137E73CFC5323945989CBB042 + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506 +CT = A2A8965533371794909BD26787EDAFCD7FB6A90FCA2AC24C0D + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304050607 +CT = 1FF84F15729386B1619E04AB153784F936035C9A63F4145AF1 + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708 +CT = 807D5D994486FF78A543EECF5983203CB59F5B55630939F0F3 + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506070809 +CT = C85CA416C27D76FECF46A39CBB7AEA8E818124BA4FC4C134A5 + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F7E674FD5E14FD465B53CB9EA8B3518DA + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A960ECB98FD8F01DD52DF4AF0BAC067B683 + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772474F3EC1763D7FB24FA0A489CB111A3196 + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD5129654D65F36C56FDA4EB226F0C06163 + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB9471CECCE55173AF051F5277555203E58D + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B1DD410AD22E49C242C2695C86CA2CB4DF + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794DCC3CC113A86540BD3DC053D38FA21915 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646B06D5FA1D942C215A87E700BA507D2720 + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638BBCE85F544C37147D721D1E039D9B204F + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D63E34C0D156CAD12793D887F2E043A55DA + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE65EF94943DF0689AF40F1EE23E00B7961 + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB41EF7E2061FDE07F88AE4CB816589CAED3 + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDC24F2707E7EA6B117FA92F3F4BB7695DC + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD931905392943D928675F9BBED742AE16CCE78F2 + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FC8CA3A8E77869F724E20CF9B8DF3EAE75 + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2D65EDFF2299A6D0D03E196683EC78219F + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE013266B17D258B75FE6D418A44462BEC38D519 + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F04676C5120903D406C7B84D58D46D91E62 + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC56BF6B131DD033451B81703121F67EE1D + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6D74B8F251CA5885D6A77AF581BC1B0CD + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC8B15CC61E2D8E5394CEC5ADB3E1B86BF3 + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF30D32ED6CFE64791E023D648D59303635 + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = +CT = 3A2349E46356665E40D1A50C6E72C8BAF3FB18E4ADDC47B74418 + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00 +CT = 7B6F012D69E59228069BBAC7124789DD05F71763CA1D8CBA8693 + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41A5EC3A42CA6FFC908B779FADDE32D35D5 + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102 +CT = 07E31194EF51368D52058A5D5D81B907AB398218A67D9E66DC90 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203 +CT = CC513B823C2721DEC1A720E25500874E40D533A5CD9FE667A862 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDC1970D095B4FE89A7344E94BB7AE9FFEE + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405 +CT = A7564530AF1D9C050C241717FAB11C88E0853B5A5F497E368DD7 + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506 +CT = A2A896553337179490B3BF855D65478D071DB5917EC1C3E28ABC + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0C11BB2B76830E73D277AFFFA8E75661F + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D87F19AC9579668C8602ADC49E6366199 + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDE61842BED7A2F9729861479CF938A7641 + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F272AE21853094B97F04AABF1B4DED5AF69 + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E51A1B319EF06BF795B47930249EAD2437 + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD5097724793B72F72D2289362D22789784159577B50 + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB774D765A0419A348DA05676DFF7D0E8 + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB580C9E99F87613E65610BDF334ABC94E + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10ED82A40011E49EF47D027B01204BF3626 + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D90A5B6CAA25CF556453C783B61F0388163 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB7E265EA68763C6621547EB0C5950C75EB + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B70B30378E0CBB35F255AD5129467DE78A9 + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FA32DC92026E8EFEAE55C7E5175CDF52B + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE6116B97E45C2186E1985FA5E5C16816A508 + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB4163A2FF4A6BE95AA344074617F485558B6E + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1E1EE88EFC6C27A549FB153FD3CEF444D + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4877425DD2ABB88193C831A8B74ED92A1 + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3A5D46CFC6434D8BFBB5A349B2A899F83 + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE2789964194CCE6D1BD467B92983268044 + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE0132662884C180549FF7E1CD1C7EA64979A17282 + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040A66CF083BEC5328F8CE06765BAE63A9C0 + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C648D8FEA2FFCB9CF16AEDC55FD1F34706 + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A9725496651752E9A9EAA83DDAEED7ED3D + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83F7A1EEE4022C54A19E7E84CE90AC50F19 + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABDE9E9D63FB7B4512EFACC0C03C0A7735 + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = +CT = 3A2349E46356665E40D1D03F007B3F6962DE78B2BC973DA28D4696 + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00 +CT = 7B6F012D69E59228069B071139715847F531CEAAB495C8829EDB07 + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF13F702D8749D366ACBE4021A2455E92FB + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102 +CT = 07E31194EF51368D52059D950F2294E5A6A6A318A61EF29114CAC4 + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203 +CT = CC513B823C2721DEC1A7F86767E5ACC09D231685A0071BC0AE10DD + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF7138DF2394152BEC1013EDE1A5E7803E6 + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405 +CT = A7564530AF1D9C050C242BC7BE0D26F8B7BF9513652211E5C9B5A1 + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506 +CT = A2A896553337179490B388DA44569C44CDEF54C23872D854A7152D + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE2EECED8CA86A8EF499134B5224F21E03 + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708 +CT = 807D5D994486FF78A52D69F1CD57C56D1A714424771943E043F28A + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1C1E8AF6C3A04D818DD0AD9EEA336ACF2 + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9C7DDD7DD77B11D8D27A1FE14E4771EFC + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E556432C4B6EDD41866CED11CF93634CACBB + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335ECEBF79AE36F592CB9638BFB38016A00 + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB721BE537CB28D9F176B81319A675014FC + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB894A551DD8C638FBDDCEAE3B55951C3399 + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E2407381CD421DB3CDD12C976A3D0A7607B + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C4A405E2B64CD244F5F64A3634CF7DA18 + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BCC94AB63C09228CE0A7970F905B2CEA1 + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B708185729EAC1EE990CBF19E2DA68F2A0984 + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE3417D84E2B492097E5D19EF722BD2026 + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B56331C0768BDAAE9758BD2760335D923A + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394A1448F9D704AECA26195AD963F5147F4 + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB129A9B5132131887A9BE485962E84B9C8EB + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3C05124D8B44F9B80CE0D3C778F10CFF1 + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB379524BEF759DA777D1EF54CFB998E76274 + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20F0E2EE69466152BC52439CA9BC9277BFD + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A79798A7E551089DC80DC97E547318EBED + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADBCF708FF6B22B08C4B6A901F96C017C5B + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E9338FBB9BB633116350821A4EF0A04D7 + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A9169AA084B9CCD89045A4F7D85C1ADF3075 + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBEE16F3E8B32AE01087EE65540773E54F6 + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC600F66F85B61BF8485C87BE55C62F9182 + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = +CT = 3A2349E46356665E40D1D0784EF4F50E71E9BD66DC85612FF4703FB1 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00 +CT = 7B6F012D69E59228069B07D1372CB127E81B2F15E757DB535CA26C5B + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8D2041953CE62DE9C2DEEEF0EA57CF7E1 + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102 +CT = 07E31194EF51368D52059D366AC476010722D798788FBD0190B28699 + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB4FC3D580CED88B57BBCC320307806C80 + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF762C6D703A3C438EDE63474957D13AE959C + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405 +CT = A7564530AF1D9C050C242B3AB23C9095848D8FBA6BC57DECC2782DE3 + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = A2A896553337179490B38891817767158E7413CA7C2A91D797F23DB7 + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3FAFE4BFB3084D3EDE04285BB947D83A4F + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = 807D5D994486FF78A52D6916529EE0E8A5850D10BA67E6B2FEAC4969 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E9ECDF404EF673797A9DC19E1773BF630E + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDACA0E6A02AABD3FD8181F9C44BC7B63F + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E5563233D094A440332428CF2BE1AFD40E6DD0 + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD50977247933507F89F44FADC781892DA11F7D0CAA65A7A + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77510534F7EB04BA5FDB983282E7F9A89D3 + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893ADA891A35F7A08BBC1F63597BDFF84D16 + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA6782D219D1DA0EE981B609D8E161D954 + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31185CB47DBAB06E1F920DB5B6605C1244 + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB85938895EC220DAC6A2B2A440934A90EA + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C97DBF24100DF50080E8B51430E3ABB9E5 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE27DB7F49EB48E609C5A80C27ADA52212AE + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D2160ACC3A69A4AB4DEE5DF8716961BE83 + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB41639488A781345B6D8E8559B1337C2407868D92 + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CC2FD197B6386F8AFD68729FF5653DEF4 + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D317F83E557D5EA7209DCEA848F719B3B795 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799523B4E999DD8564554BE69928785EED8E + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3C7781802680A72FF3C53DAE6B09E2462 + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A71195718A3E1AD452FE40FCB81CB1BB3251 + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3BF171EC006FAD5FCB838C2A90C18D252B + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E093AB53F51DCAFDB0D15D551F7967BFC70 + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916804BACBB1B3052A1CB4CC1F40A90E2529D + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DCA4DEB2DC08DDC29BC1961A48728A68 + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D440066B09D31B3EDF779D31A5AD5423A + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = +CT = 3A2349E46356665E40D1D0787D46B797BE8922E1D88613914760374711 + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00 +CT = 7B6F012D69E59228069B07D18CA6B91FB6DC063182FC2B2F4A7B8B93C5 + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B838C9617BDB4B7A07486ADE27A16ACBC626 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102 +CT = 07E31194EF51368D52059D36DF49C3ECEB1E0E483A8821470DB8E5ABC1 + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5FD66CDC468B9F796DE3CEB6489DFD8B35 + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF762862E39D767CE95AD3E2A93D0B1EFF3FB10 + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3CD88E5EFD614BCBB2FD0B637CCC238CD9 + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = A2A896553337179490B38891BEF7BADB5F2D22386AABC573B5F003CD92 + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F76840839223D617F0703E571B7D4612024 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A57AD60CF2E05A214296C72F0394771A + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B5DA6A3AA9083E8D2C21CB2DFE3C5C0C0 + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1728F898E350D4CC1B09A9BD9E56CDF07 + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4454DB078478715D7BBAD222C339AF9EB + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072EC38A2CADDFD8D70D0ACBE6DDC062F7C2 + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB775268DA81D1F246758E03B5C8EFA8CAFD6C3 + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C06B100AD51F9AB4C390214807C499F6D + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA1419F87567EC5662F89F2CBDDB0C1B1ABF + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B67E8FD568394B5B93BC8C32EABEA39F5A + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB8125A28CE86CD3869AF3E5F3ED543228B6A + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C909E55700C8D0BCE16B173C04594D7B6FB5 + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273F6479EE480AF488C7590A2F4BBF2EA5C3 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20BA40606FAFAEC3969E0B6EE50CAEBC9EA + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB4163948829D50F514E1DB98FECB8D5464A42A07C63 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE312BD5ECCF88215DDFB092CF5A60499B + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171DB3E53753D61F95D3B9A7E239D22E3672 + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB37995321B338D6B07B093D3180AC6F47DE9AE1C + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD84CC78E27B31E30D86F914FABEB2B7E9 + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A71191E61A4CE489B2E59B2D7C21739B2AF195 + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B37D6B73AB382AF2AA5493F399B029D7076 + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099D26B7CB41DC56615E9B321CFB20CCFD45 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802A4DD70AE3E99BA4355F4B42389B7A558E + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DBB0740B9A3E2D2B3EC6A2A6489A092B43 + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D34D88EAABB95B6F14D505FCF0C21D06540 + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = +CT = 3A2349E46356665E40D1D0787DD389A5C73964FB9926A823F9598B66E4FB + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = 7B6F012D69E59228069B07D18C50C68698F3873619BE3428FC68CD64F13D + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F15469EC21203CB4DE69F6EE130061881 + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = 07E31194EF51368D52059D36DFD9BE8C218FC61FF85B8506B64975FFAF77 + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3D92FF62B98E082F10AD441407DCD06D7B + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF7628619CB182F78D9D0C183D88B771F7A3D52AF + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0A4C471B89476ABACD4BA8BB161AA2DC99 + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = A2A896553337179490B38891BEF176C075742A49F3FDEB49841AF51FA74C + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760ABA24B8D0309B1CE3526BC9D63EFCEA9A + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A944F51CBB0DE5DA669A1115D5CA08695F + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9FA3ACC5D62BCB220D946B7DA7E876ADB7 + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA121AF9924D159C6E374BA5B51BE12C4D29B + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA406DF0A203F9D99092EE685089CFCE4B + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1C32CB80ED2F2AC8AE62A06335814BFB3F + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7DE6CDAAEE1FF8BA51DE6ECBDB90F79AB + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54739C0775A72B5BAA029BCF83D77A303B + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC5CD70C69E1AD9F95AD79F9271CA53ECC + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B67754273BF38DBFD4367C3DFB2B325F77EB + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E70F2403C8E71FB45E79A3D2C0B21385CE + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D2A8647F769331FBCD21319AEF818A4E5 + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF22BA4B8ACDCE1239A422AE88CF57DBDE + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8FA10FD32B5CE30617FB2D1492C27653AB + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994708AF934BCE63DC5E63D8AFF747CB24B + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A9EE48E6A0BFDAE3A46DA5F3DBF4D9A32 + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9945ED533ED7F2CA3D99E51D733A66A917 + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D7A7F42BEF6FB8662E1309D62435873406 + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433FFF31A614D9AF0D0AA197A4F1906713 + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A6EF2D19F170FC1D376316A1C542F9EC5 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378D55A2F6DD0608625E6CCE6AD2C777C0BA + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA1FFE0B6E03A75810228A227D12EC9ED48 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0011722AB27D4394DFC1FBE4649BC71FE + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5ACF8B1400926EB69709C91F9C6C087F49 + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D3450D2A11DC80AF15DA1275260CF2FED8A22 + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = +CT = 3A2349E46356665E40D1D0787DD30F5CF52D282DB4AF86A283DBD7B063338B + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = 7B6F012D69E59228069B07D18C50400EB9206EF4E895F0B1AB4271840BD638 + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CA1F1F60F93C487BDE045592E6369BA71 + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98FF6514D1E6B657F90A13C4C06D738D2CF + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD72A1D368B7D9C35BACE00DCAB3117B9D + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF7628619211C1E07948FB41315B0EAE5121D69B94D + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACECEE180526E8D6756D87FB85D9C92FDE6 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCA63A84A6F03EA54088536234D4F42C6A + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7ACEEA20AED186B2408183C8103C1C97E + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D119CE91B90B3A038DCACEEBA0898975E4 + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A03271847003EBB82DCD8CDD11434818A + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217DD1B5602F730720D18B251AEB64A13368 + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA35D32ACF1FB8C6BC5C5679DE7890BF0263 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D1138F487485280A9130C154E13E9DA9 + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB3F1244148E71D041976EF37A4A110C97 + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8A2AD5A7D2101F634F9B1DF3BE9369C69 + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC83ECF8245C38B1A43654FACFD43CC07D24 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D4FA0B2B41F5F8E3136D65FCCEA742ECB0 + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B4DFBA7CC320F0A4BB567B90572FA0F13 + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4E6538F52824AB48C46C11C15145EF159F + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3DB181A8A3A3EDE87F056162538D26893B + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5EBE6C2CAD41D4C01631B16F51CD52EC90 + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D249B86275E9CEC06D1D3098788213D04C + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CE014366ACDC23D27AE6C98CB656554E + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D99707F82911BA4C483754C9457431F5C8BFE + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E265AEC5D7E73B52EF2822BC54F1B794F + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433BE325C40FF3DFB0A414E92E90C5DC8B1D + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1496469D8A725295188F308B78F7BAA884 + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAC7718AACFB449CB63E06FD3E78F9BBEA + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16ABF26172B9089FAA5B46DE78FD03ACBD0 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC05681542FC28A708F53EA57564D6C8242DD + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0B94D865C51A19269C74D9AF1BACC51F9 + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D34503334E4AD8198162945DE98D7E3C06DE9EE + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = 3A2349E46356665E40D1D0787DD30F01C848E2A6665554962A75BE9DC59EB9CD + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401754A78915D7A33ACE0F2F7CAF3229453A + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC943377F3EBA0EA2DBF72B358D9907B91 + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12FAA4064A6A25BCEFF7F237CECD9849B5 + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD852C82585A9F70A36D04CB474F176D83FB + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF762861921897FE7108B47720DAA98B11716AEA713E3 + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20435B342B50279D4E30DDD1B8C22BB94B + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD636B4964A04B5F792835949D2523B72C + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0861ADB98A10DD30795E97F1E6CB4D8E0 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C7EFB393AA8A0C891C75C99DE647D7647F + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4FDD92BC2FDA60FFA6E68B80B2922BD521 + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E386BE06958F761C5212FFD98F26B4E67 + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DF9305A6DCBEE2049A75DE27759F33184 + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D958CB86990D0617F8B966EB3E84E71D83 + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB484B49331EE3F390DF978DB647984154B6 + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8913F5A8539D8A1D0628973858EA1839BB3 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326EC7CBB0AB65C1077916BE304AEA8C04C + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C43FF79A49741CB2355702E062A49E79A + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0D2577B389A8908838C122C5DC4759885D + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB2ACEFFC2C393798EE399D70F05F81FA33 + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20D0DD20736D43569B02DAE4ACE43D3831 + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE7C55609DDEB0725B624EBE297B2BF45 + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFAE7287C4112424E0900133696B51DE43 + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFA30C432389C51BB337FDB4E25437B4B2 + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1B3742FDDD812292037AF8497B85EBF1D + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E52124A5844F4CE2BC12D774314F32936F3 + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B64D8F1033DBC261D1B0712C7EB1DA01B0F + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495CA588165C693AC9E66B5711A7CFAA333 + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE9240D33ACF9929FA85E9CD284F963B070 + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A7367AACEFA45487A900A1628A19BA35138 + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC056097B0D0B6F6076FF47BB635B0BC758B838 + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9DE9B5C6B7AE4AD70674A651420515F52 + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD02ACD8EA1ECAFC38125151EB9A090392 + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE475A56033C5DE4797FC20F83ABA7D6C + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783E5F34A58224A1C6028DFD411B22FBA67 + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A2CE4FE58215606164F3912128E568B6F + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A096CD5E16E3D823C96951763DCF5D495A + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F77B37CACDB3592A1588488DE2BD6D2333 + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF7628619218913C1AFC1D7DDDA2A9D7CDCFFDE83391BF5 + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE208132E6B7C1B08AB921F5BCBEB8571EFC3F + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FD0C4E6711CA12CB1E492ADC2E2563E2 + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD41F445066D444B6B528B67CD45BD9A4D + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C743D330CD5EB18AEED5D0881B8C08E867B9 + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56435F5611266FC13B1BA880532C775FF0 + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E170EE6D9E93169739C2344315BF837A6FA + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB0EDF30066E75176A7EA80C1E07A4099F + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F4B997C3A5F577065E183AD3B71799EA9 + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB482521BA60ED21A0B72A8823222F77552447 + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D89152F3C1A430ED9D4BF2AB395CB907212E4F + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326334FC9150ADEBE05F409E390DBE743E48A + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D73EC7A28A6DE3B8B8DB1402AE2640B19 + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBAC35643731B4635C11895A93A0622F486 + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB2482DB844E2B1AB1856A685093C663ADBAC + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E35DB43EBEA666034BCA5D9E5A43929FFD + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE7A7AAF50CEF78AE05BD3449B03B2E926D + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5E868284BBD06F7722CD9A060EDF1147B + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1075AC101EE083758CE68FE590C6DC2B2 + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D11644B90F98A8E0C51858C8DF0FFC596A1A + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E524757F9405FD84F1F2775455615DCD55B04 + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E286ADA64D43DE4726957833E046B370 + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495557FB4E95935B3F83DCBABE926715C3B93 + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B1BA1FC6DBEB28412021F6B3B78FBD76A + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730FA9A887847BAF923DC4A1184C238E86A4 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC05609230F423ECF6A915054C803A328D65557AC + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FFF32661F5A15667DBCBA56F3EE3B8B3C1 + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C92798DCA0A8916521DE8016D4E07F7EF + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE4A810CB5CB07669EB3B6E9D0B86CE2FC5 + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0BF1E76C209746A8EDD31F16EB9C79B0F + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A5319A516C0B4B73F9AB23937B185DE439B + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E72BC5336D4757EE2CC40AC70DC1B1E1D9 + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7EC5DA0D370B96A423C3137909B1E3FD803 + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136D7028344AF244DAE3831F0AB166350DDF + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE2081088EB8B94C9B58C0511EB816CB368CAD32 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC4D54DCE5CBCBE3DBA7780DE6ED2F5B0D + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD1597A41F9E2B886C33F616E1BCD838EE54 + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C743258FD8B0109E978F941A5837BDCE378D55 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56766A62CC390D9D4D5976820F9202F667BD + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3ED8C87A921D1738DD094255DD2BB0433 + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8EF6598CDD8676DCA618A08D1856C9CE65 + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B0A953309C1B7FE5409FC4B983D8A1F26 + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233833699625ECDF315EF719B15990BF0F + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224F8DFF1E24274AB64A71739172928AE6F + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC83263302B2791D202356A2B4D557F1743A7C752F + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A673B650150A6143EF2C21699D7D0680C + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADD70B55AB860D72F37A28F863DCD02D9D4 + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCCB2D535F7123905DE80DAAE2D4C24E56 + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E358BC43E292166CDFC1CDB27CFDF86B321B + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE77289DEDCA59F567392B8314E0E803D1C0C + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D29188482C4E9C90C4BB7B77AF3B743355 + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A83AFDBEFD1EB185DFC6C755D3B2BCE1A8 + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169B60CE4FC8E129FD4BB229BF9D58C9C5A6 + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8181378A11E0359A74C93EBBC18E40389 + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E17A89634A438D64CEAB13245589C46693 + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554EF8875DEB3E18DA00C0458200AD4548E4 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C3C6AEBC171B4669FC2AC0B63DF4B3256 + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39A583F67CFD7FB60DC1034D5036752AC5 + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1860E8701CDFA7CA469FFB3C2CD5D7CE6 + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A7A71B557045693F980C8A93BD135C0DB + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C027EEF1A7CAB5E38C12A743807F2416163 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C159F417C092405D263ECEA7B6D612F5E + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EAAF163CA48C59703FA7CD719056FC3176 + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539CA3C96E9449974260621FFE2ADEC057DF + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FA6A4C2BEF05DF0E2B5F986057CDF20C3 + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF46169632CEC56EE77AFC302FF1BCC2E85 + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB69B55C853CBE7F5D2B51571BFA4E4C55E + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866A0AD42957DC97DD87A366AD4D19B920D + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A8B476AC806E3CA2287C5CCB2BE1861CB + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152A5126A41370E438554F2D741CA6CB1FC3 + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C4FD242EF4811DF9FD980BA954D8763B12 + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762F8A4F0A7FBC44C07C125F16236CB15979 + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D28A6000AF5BF86C47CD56B84ED1923392 + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E0004AEBA501473ED5BB23B5D165454215F + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B850B826F41F2F44C31A22D4CB7A7068372 + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233B6FAD5B82E3AD23A0E61B061E11E72EDB + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B484CCAABBBD09AAC5A85554F16801C7A9 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288B95D78197146D4260AD0046596843D51 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7CA15D98663E2CC551C75E776DC0EF8222 + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD0A5DE8701FB53F8AC902ADA9584A0E351 + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1D66C9F75447E549A4D07EC02A528895D + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586BCC01EA16E77820A0EF723094D06C8945 + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE77202435B3501EF15EDB721A2E954FB38EF48 + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C4B01EB2D84F960676D9F0C914B5595BF + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A8427F9DB469E9C1A7B46AC42CF7DC3BED42 + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB5E9438BEA9A620024F5BBC11399AA18F + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE44A3C902EF73F03331E5A5C3D377144 + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E12516807C24F989B195909177586503C5A8 + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E1671B68ED0FE878DF041ACA5C7181389B3 + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F496509A290DD7DC47D19DA6267EAFA90 + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0735EFB603BFDF63DA890785D78DA5E16 + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EABB4DD76747B93CF8BC44D7674C6C9054 + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8B8CB39D6A40A0F45F441060B757386453 + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3734C865CDBDA99A28623023C48F0B6CA + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C212AF4066F1802FCB57F1CB0A207183E2C + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45F7B3AECC164671D04389B3953C9C9A03 + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F2213EB0244A282842FCE5EDE3F06CABD + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4DFE6686F5C33B9972F2C5107D1DB78AE + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BF6774BBC6AC87B2B27232C1529F49579D + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AA564C23F9F8E4A7D2E6AFA849083EE70E + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE2081086647644E7FEEBD0193F5BC8F97F8EBE8E76A + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A113424975E53C16F01A7F89946633581AA + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD3FE3E3DBD136CF2EBE1E0FA433D2BAECD + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442473D675DD31527406D1CF79AC62F8D8F + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF7C1906198C3C3A10B51FC92CAC4E5388 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DC8D9B0DBA36EBA7748AC6139B674D64EC + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A50F259231042D299B52B3569D9401F938 + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B85597FAA57E2101D4A81007E479E4ACE23B5 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF7E06B5B8507811CD8AAEAD67D248FDE87 + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B457C5703C145288CAC8FDBC1DBD3D9197A4 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D511584235FD3686101655FED9365836AE + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B709152A9C4D97D63DFF579929A344911 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094152E18DB658893D6B451F732244091AD + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE43ACC4AD119926550CEE33BC47C672F7 + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6A23C4E17747A89E8009C489FE40E3536E + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C8626AFEFE445AD55F19B484C9753E0EA + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60A81C9D110DAFE4D53BFD24B78EAFEBE7 + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A842660750872F64CDF7A2C9D07AF9A17B9D4F + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB494063F99411B753A2FE3F4457099079FD + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE455914032B5B938DF204425A3C591B251 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A393673B74C4D8623DF03783F53962DA36 + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E08674F331CF2EDDD5039446639CB1907 + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F136C2A5F2CA9CB7A2D75BD35B46AFA5A7E + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6B9A23E662707358D536517393A19F00B + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA879B86BE34A3BC437865CC293C9AF463E3 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF74DD64E38AAA14121C9046DD6EE12C5B8 + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E570C5A075ED0300C6F16B8C0FBDA3D78E + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A0710265A8DC7A603DD4A47DC56F33DC6D + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA452287144B8EBB16578EBC4A9B14DB7378DB + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4E037340B837E775F9943B108F30B91216 + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E713B251310463B90DD9699A95B99BAC90 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA2A016E6185CC13801E17D969005BEA976 + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFBD3DED4D6F630EB173E53F787AF5F111C + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B23F596D99C222ECB0308DBE30F3B93F0 + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189E370C55C85C772D3AF90D749CEF95647 + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381647D946899D48048ACC310A7ECB4D93A + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E12FF2E3459A9FCBB88B6B6AEA9302AFBF + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF8793069CC87EA4A57750DD5477B710EFDC + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA932FFFC1D25554BCC9F99CF5C8F97D148 + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1A27BAF6AE0F2C078EDDEE1F5A67CE869 + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDBE99EDE016B6BFA77B51DB3CF2FC1836 + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718022B27AF5680B7E866EB208BA90F9A48 + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F9393D249A623AB03FB81CE5C2455749A + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F0621DA3C895C9BAD3E74C010E0B27CE2 + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B97299005EEDD0FD77AA4C49CF114A2180D + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FC0C0AE2B277BA6A235B2928B3043950D1 + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE22CD80F32494697D30C3929B77532ABF49 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC2CFAE1520B819024A0ADF4D71B085ED4 + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7AC4D65D1738A581CEC40C56997B7AFEE5 + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C603724FB264068C2014BC1E396E18FC3A07C + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B7B454E3DDC341DC7938E212094AE02DFF + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49AC8B885F92C382D2B4BFB1C94F7DDD39CF + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A3AEE1674CB76B75E5E040829DEE8F154 + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A3883C5CD4140B6F0F200DBBD2EEA6841CD9 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64C5155AD2E747431DCD9C9A45D938FEDE + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8818E2B27C45AD6AEE28CE25D12873129 + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E45A59F662385DD415B8A587B43AC78EE8 + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C1EEB904497073B1ED415BE63924EBA2B9 + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77A68B4936F1CEEB422473767AEE3F5A461 + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3E9372C34808AC5FCF6487F040B3A449 + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A427007C4147AC02FB66380FF420A9588 + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FB40AA4AC17B842D07D0B44BCE6563C66 + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED73412F3334158886FAF8CDA1F4BB7497B + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E949FCDEFB29AD50A858AE1410F9CE59EC + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28B4D8698955ADEA17AC4286BED842555DA + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6F4C37C68A40A23ECDB4013B130DD8F533 + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B5355126C597FB74D4F1232060FC161D933 + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CC03CAE2464F13B27647B7C2B240B03190 + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C7CBE6643BF5D6CE328D9CBCA1CEA55D4C + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B7217773A2E4AE050D15B89B010F97EC42 + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BD30668BC0C52863922502A7E5FB68D485 + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AFAB82C781919BCF3D7EFE8944142B7A82 + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C9A939A3A0DAA9D593729B62DC2E1D729A + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB397773E8304F9CF08734E66761F07F611 + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF7184613618C4CE8D2EFAC0B75757A60357A81 + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5ACD02072DDDB360C3E5755F2B82EE158E + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17DB757F8F70882B9B31C7FEE2A114B0E3 + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978D8F85AB683843B878D3FFBB8A9CA14839 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE30E8DDD3A8C8E10FA7D149D72AC3E4995 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221E51C376EDCBDFB74C786EDF2D457BC3FA + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC68C35F7AFD08394C90D5014CCA027230F1 + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACF31767939280EFEE012989423EC0B6B1B + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373CDAB54DF418998EBDE57F7A52A0B51D52 + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724A3BEE1AADA7F988CCC7D944A986C9083 + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB8F5AF6AB4DE318F443EB948C8FDC4311A + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7B98AE97B2289C0DB26C5337ADD83977D6 + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388188B50BECD48694E79FC1734C1C7FF74B6 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6D7F1C8DD41B3AA15F502C1C5A14992BA + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B86CEA8E9D605AEE9A47956C6F2E92B5B9 + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E41501E0E7B3381CF7D7DEC55E8CCA707B67 + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B04E2F0E9294740CDEB09193501458671 + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC114F1B80BE699F2317BCAB0E45B5E7F68 + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D72EC451A0E85BC8834729E41DCB080EB + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49B8300E92C04CE8A672E8C4B26A0F0890 + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA7368AB78CD6CBC8983D5EB4C2FAD5EC2A + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7A5F8FECC34EA9142DA0B5B8108DBB985 + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97E7378F18D86990189DE32DBFF7E4757DC + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3D871545DE4DE5D4C58F71DE5406AED4E + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF39ADDCA71E708AB0E20053421FF5F773B + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537ED6046D2A79AF98BBDD612AE1D22896A9 + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCAD1A27123E442E2A6D473718C358C3D06D + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C758B6C9A6083B3B0EE3263988B223DA3843 + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76DA2180F300F6DDF2497EF01E8FFEB1D92 + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB096B6215E12068AF51C43347592E48644 + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6B8A462E86F07DACE2C62827EC88E305D3 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940821B0A503E5C13BADDAF8887CCF12824 + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3185C5B63EE9C40F8096A3510EE88FDD2EB + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A16BAB426CD2662D8151C8ED21FE1613A + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A0948DF677B13672E6FF4DA89C5719FD369 + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17102611E1BEE42587A2B273012453D425D0 + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF24698E88F4149532DA46040F22E139EF + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AEB48E97856E62E27E7FF52F14226C3D50 + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA6DD8C8C3DA48205A4951E6E82CF1A19A + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF8197BBFA16D7541CE5ECEA2ACAEE5C1 + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE9874A94EB6837AE35A0D54578DAF020B + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4FA4FA618D2DE364918B19925D8B12162C + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F241A73CE4C89517A5202884F05AE12AC8 + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837F4D1420095FB3110EA25CDF61E107485 + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4AC0620A50D545B3DFDFECFD60EAA01D4 + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181C7F51DC3F6930048B0985D5369679CB57 + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C38170B0C607ED650EB0E2CDD56C9B1E7D + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5788333E4055F72B9D73D4CC53CE08C4 + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E41530AB0B4E2B5200FBC44D3E5A069248AF43 + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B8839B1F934B9A2C7E0C1E457FF5762A66E + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB9BE15286C1528635D485D1BEE590079 + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D052273A031C4615DC8F991A3C499847350 + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CE8D5B6A028C8020C9FEBAA5ED70E016E6 + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79A55B5CBF164DCB7B28547BAA6080A06BF + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BCE31D4827372EF110D306AA85533537F6 + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06B29ABC633B0D1D64BDF5528A65D1F36 + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD337E6A099AE3BA60FB9F0C2F52C52E5A2CC + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315E52B03DFB48FB9086A0E3182607D6B64 + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1D88C926ADCC4C32400CD6193039B2CD38 + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA23549379BD04230603B963132E35A3E9 + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C7589751DA9ECAF9BD4C6E0F77496D5FA29087 + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0179866B7A8C23D19591AC6D81D8352FD7 + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB089F10A2C758401FAF4436372700EDD7E0F + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDCE115438F3719E9CC6756971438E7FDD9 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C94008DFBA5498F2E055AA38ED6D5F19F5D455 + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BE973EDE9EF38E5239826422297CCC382 + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A468468331538C436456CDAA54C8F265130 + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A793B4EEA0DB039A505F72E9E0C66058D9 + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F171074B117C8A26F88E0CC39E2D935E57CA6F7 + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09F82C9EEE44D98D5A263B695896039132 + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C8425A8C3ACBEF7A624033B2BA1EB63E2 + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06DE7B8D8EE2B1FE1BD914818349DE9C0D + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF0429E92BAB5D3A552CE58591BE2303493 + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EC8BB4DC76DF1EA2AF0CED9A466B76CC7 + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F389B18DD66614C6B5FA4BFD82AE836F623 + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F244053DA41E2133CD423402EFE5C33A898E + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837718A6AE36B5B2AA7C7462D8F98A3E6240A + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC467081C9C0ED12695C032C3E81F5B83766C + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB23831A9E8550EAC25B32EA85C7E04E530 + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C303230D66296E506D5021FBEF36E044881C + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F6324A22499DF72AA35755A03E3A00391 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E4153026FB5FAF3EA22D65D7B75105BD7C6A5E67 + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D5940742DAD2851D585AE789D2DF3DE62 + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3EC276FE86CAA2B543F94EA6D151E890D + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F12F2AF1C2859D79D9A0F2A2B5B9C46D34 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA0112018889D65FEBC91ECB1F7FB2DCE21 + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD276ADC5480DD1B872B8648DA031F75D18 + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC4264E6AED2F25F7AE5A515EC76296CE4A0 + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FB30BE9A8C50B510D7C048BCF3333ECD1 + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377EB4F1A3977268A0F21CE5E8AF7978E4C9 + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD8ABA21B62CEA96E4013481627CF3A0E2 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEA6E97BC920743E0E80020ED748F58840 + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA410318F6B2B8A8B19E4D6118A9BDEDF6CC + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD96C9A5613A9929D8F90DEF5CDD606DC7 + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0132A1C5697D4E56D1A6E4944A304233C23D + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CF9E63D32841EA343783A1E210276856E + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D30AD0EFE8829C344ED6ACBEBD4DD9439 + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940089660232A7A68C69B7F87802CBE0711D919 + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA31D1F0688B9935749CB4BD49A8C2F8AF0 + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A4683C09A8ED2229B514AD7391E75381AFCD2 + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB880131EBA7ABC8762F17C77561CC364 + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424C0D02DAED2971A39BB0BDB32EFFE9698 + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC552B0BB8FD320AB2CAF76A0E9FF49637 + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C153AB5D4B972AB3CB662C693029BAF8D + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB713F7B885D16D73A634977E5EC6D28E0 + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF0782D0B7B78B53CB37A67FAF6C44171B0DB + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF98DAEC3F19A63609D9A16F61241263E2C + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D85647FCA5DFEFA2F669C64FB30BC7F4C + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443CE2A0A18B287E3D3026FA44420E30DE5A + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717B27E4EE8D30B5FD01DFC9BA5542FE6E8E + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676BA79CE910EC96EDA36E40A089E74EA73E + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1DA7BF7326E04076A5552C4A0709249AD + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369FE7C5974D60D6C66D4117D77508E69B6 + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F053408C02B2B82AAC11380A548DF74F4 + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E4153026721EA8463975146C75F3E2A2A3CB6305DD + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D18C367C468808009711427526AB50C6E9C + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E7BA89BA1E5AA5B4DE80296C5A04251BBC + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F1535F780621121B0EB2A94CB13C9528F311 + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA07A89A1A2D351DA3923314B2BAD4A8579DF + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD2BE6DB52903060F9CF7AE3BA0BCEC836722 + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC422E31B57A5227755533B82C538BD638777A + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FEF7AC4FC02FB527DF752B7503E6953E536 + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377E753982ECBC9639FE86159177A4B8FBB062 + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD1A98734764A158C6DEDEEA403A73977B9B + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEB7162908714DF003B61A1BFA95AF83B174 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA419001EFFE0C0CA0A52E57F9D84C8A7B919F + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD82FA78AED1D5A2B6B57282D685D8053616 + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D01325553BD514BF419416B73CB3FFAEE8B1040 + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CEBD045368F51D2A2F435BB73BCB6FE5E7C + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D3932E791B392903A724308D5908058AF6D + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C94008963345CF06B9BA248F9E78C9E9C0AC3F8324 + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA3B8515D69A382E9142E0907D5AC94EDB8E1 + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A4683846D74755EF173EC9392F49C901F9AD261 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB4D8C7424C087460515DC8FBEB84D9D06F + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424274BA39C4F3FACBA5DA546FCEBA52B568F + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC52CED56608E63EF988D46E96EA932A7401 + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C0AD7031DC01A667512E79D3B8EF9D13B62 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB723A253407A8731DF1DA226877CE627AD1 + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF078747373E33695CFBD5D1D695489CBDE67EA + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF9807761515382B6F21829FEA47A169CC576 + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D3FF8282E2FC5733D3F0E68F98961E10F7A + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443C2350938169EA1C8242D4C2233F3CD1B91F + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717BD7846EAC4031FD91EE2F51FA21635EC8F4 + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676B762673FCAED8AE2D385864B456B63D4152 + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1E03623D4728FD0B7ABDE1D1892C3C5D19D + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369F9E1955A871F8655EEE844203B5440107A + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F6C86E450859D7077DAC2CC6A6C29910247 + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E415302672A5FF5F32BCF17E4808AB2ECA0AE9FC84F7 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D185380E9D8DCBA90CF2B27F78FDFA7573957 + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E74E6FA61197C70228634FDAE9A6CEB3936B + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F153090CDA3CA51172FA8F17598227D9221A53 + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA07A528D279E5AC77B36B3E0D3A4965E8AE944 + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD2BE5AB2EF104752FECC6A4FF10A1AFB79F192 + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC422E1FEC501383D7F086EB2613837987387AE7 + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FEFD17C0E44AABBD4D872A0EFFEA58AA2EE30 + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377E7530726DE269A404AE2BD6362EC9BE99114E + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD1A2ED91AFFA1EC7943837A8E9B9F0A9A4CF3 + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEB77A27A78FE7E46384D0A35F03095C760896 + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA4190340D13590DEDF777E1A171C16AF7228114 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD82BBD1D7E9BF1723B82B836D3DBC99244D2E + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0132555EA81C44E6D9D2CF220F8992045F43E36C + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CEBD8EF609C1D0665E0BE349510A421E2C360 + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D396CAA927707824422F799AB7ED99464581F + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940089633C6F8A0C87040C6E04D23EBCB5A12CD08FD + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA3B85E0AE0E76360D4C46A7CFE1D9D287C63D6 + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A468384EAAB0F5440C5217E3FEA95926EDFCD5014 + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB406F2F5E54387164BDF9B8CCFA8A71FEBD4 + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424278FF449238CA1B45FE812A4747A42488AFF + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC521829A0498101EEF0CD75B68E0293D346C1 + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C0A9F40CBA23F689B980DEE11F9AA02701E4F + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB72064F3B2ED21934548A6D5DA39BC0D017C4 + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF078747EBA714D42F7B8E05E96054AD3C8E28266 + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF9809727E608A382E77524674A3DE0831B0B20 + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D3FF7740EED287C46443E1666A2906AB4D357 + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443C2376007DD155B7E347536EA2BED25AF21F41 + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717BD706FE1D5D52D19DB0F8B69435462102D728 + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676B7617B99CD5A3A300307892BC742BA06906C6 + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1E0F9DCBE755A550CB10C730E9BDCB777C1A8 + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369F9662601824156E7358F94DC920179092810 + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F6CA4BABDD7FE060150550F9AA05289F59731 + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E415302672A5292ACB838FB23684F67252FF0023D1686C + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D185305D9EC056D2C8B19CB2CD215F609EFE746 + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E74E8EC6C483AF6742EF978BFC36046695B436 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F15309C0251C5D97C0B292805FD44E693BFDC8A3 + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA07A525E635DBA0A8767F6356B674CCA29A91B7F + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD2BE5AB800B203D9A2E8F7AE8E18AE8FA909B563 + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC422E1FAA931980AB391CCBB8D3BACB16E8E11527 + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FEFD18BF37FA4045F93885A43A947342E736C4F + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377E7530B95482A095D4445A759EBF8D5E59BF7452 + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD1A2E7C2303A1FB90BAB78851214F981F3FE2BE + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEB77A94B446D75BD3B5AEE2880C2B807092D883 + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA41903443BBD66C2543DDC095ECAB3CEC5E05C118 + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD82BB25D70F0F0888FAFDAC16469CD59AE8AD94 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0132555E6212D50BCEC8A00847994AA4F5C9A23C2E + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CEBD8501EF6505C58546C411868542472A78E84 + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D396CBC21DEB11F5DCE035213F8BBF3304ECAAE + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940089633C6A334EAAC983004B9E5D12DDB159C3CD58D + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA3B85E08B9C3688EAB421CCF8CE11D1CEC4A74E8 + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A468384EAE8FF7A8E8456AA8B0EDE13E8653D27297C + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB406E9AB025DAE62AF3D9578337AD24BB01600 + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424278F561BA55D39623BF1C746974D9385AEDFFC + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC5218F0706A4A8AE95FE48D41926C88809D747E + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C0A9FFE4822BD8EFD23C0B4679CC85B58505135 + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB72061E6171F3FC8F886A2446254DB78D796444 + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF078747E0EC55FE5BCB3F8E3DB2BE8E7E005E60E69 + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF9809718B1C1726A8BC8BF51E8B1F77B689843D7 + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D3FF7DB0AC31541A50B5877FC235AE34460B837 + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443C237619A57EF0437C8D819A0612F023B6F6B11D + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717BD7060912343C9F865090DD3F4EB85FB57B3D61 + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676B7617233CA488781ED7BE621F8E744AC3151CC1 + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1E0F95ACC882F299FEC6B36EE78AC637D565184 + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369F966A3DE02BD56FFFF8E9DF7A3CA89E0C983C3 + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F6CA4264F647F9BE156D591D15C28D48C867EE9 + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E415302672A5291973B5F1B4272672546BEAD3A0A4832F82 + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D185305734802AE94E0107CFC1F777B0C1528AFF0 + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E74E8E5BDB1473A659CFEA17C61F7878ACC26975 + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F15309C07F646EF7516F5F085C6161F8FB4B9E82B5 + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA07A525E9268F64CC267EF9D06A00E7F89A5E6F188 + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD2BE5AB844BDEB3EBA495AB95227B29A2CCFA6207A + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC422E1FAA5BA017B21125804D6E6E2FA5BC0E1FFA26 + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FEFD18BCBEB26E3B0241F6525A70253F4D8FBC9BD + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377E7530B9A6FE233BEABDE05E3D5791AC57E43BA0F8 + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD1A2E7CBF44F3F064628BA02A396BC44DE1B6C421 + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEB77A94F832471A3A16BF41BA15332C4C34770DA6 + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA419034437F98DAB06A45847C06BA03B6C519DD831A + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD82BB2529BD3EE95718383AA666A4A648940315D3 + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0132555E62B83CB028379E09DC11614164693F9EC167 + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CEBD850773B2BDC2AB096B706C1C45A255C13212F + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D396CBC968C37287FECCCBBFECFA603A160F5F016 + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940089633C6A325A9E94F8FEC0BB1FE1160D745B383CD35 + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA3B85E082316DB1A6CB5BFCF356CA7931CCCBFE3E8 + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A468384EAE8EB6BC0AE29C0D9CB6E8C9E608C258B15A1 + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB406E93BDABD6899FC98132FCAD8B0E71BEA8A27 + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424278F56D0DDCB16DB3C11DD021306EE44F2BA2C2F + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC5218F004FF1612F1E9B1F92613B0CCDBEF7D105A + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C0A9FFE09DE6F3001CCD9D09DC1F28DDAB272A67E + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB72061E79C1EF771828C8DD8B7E7E2818173CBBB3 + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF078747E0E960D5464C88E402BDE3EA1763A03EC8FEB + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF98097188726C02E3D099C4BBB4D1000DBB7792A6B + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D3FF7DB08AC1F38893FE375C80D08CC44E95A5965 + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443C237619D594E703ACE09A3229CCE2E7131B75B1F9 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717BD706096BA1A219D3191B19FB4F9FCF1E0E78F488 + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676B761723169F934CE7AD4FB495FE9E3229E96C7B82 + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1E0F95A333C87BF5047B54859DB61173ED6EB0205 + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369F966A3054FB74775CB78A012C8A30855A40CAA3E + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F6CA42627F9F998F679B3C022FAC895DF5C9ED605 + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E415302672A5291903FF5A83745F651DAD41B92248AA0766BC + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D185305737A7FF6987E29CDF3DCAC59515A372DD883 + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E74E8E5B8C5805A5E339CBA94899D30F4EC7B2BAE1 + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F15309C07F8CC4620D291D85145BEA780D9D74C7F7D0 + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA07A525E92C8E0D7427F8190070864E6005AC482CDD6 + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD2BE5AB84479CA1C74ED7954172DB4107D8E028FB5DB + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC422E1FAA5BCB03EE7A3F1CA09762DC7B464F6198FB08 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FEFD18BCB030703506212354C7CAE507C6EE69144D2 + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377E7530B9A6EF3C27966A9D5E8843392A0B97B7E1EFFD + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD1A2E7CBFA7E9FD1E162AE937E8BBF90D583BCC6869 + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEB77A94F80A04CA96CB629EBE8A003BA6E86DA101B5 + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA419034437F81D167C24D1465A9D14504DB65152283BB + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD82BB2529A93434E35089E10767E149ED4205A08FF1 + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0132555E62B8C2CAF186F617AA6A317425A04A303775E6 + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CEBD85077117A3F43C22CAF867895BAFACB1B396EA8 + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D396CBC96B896825EEB04625C9852B135B3638B1EF4 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940089633C6A325AC1A00253B99DA648145865DB7D16948AC + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA3B85E0823632B0BEAD3B19685FE2BEABC259F7B2373 + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A468384EAE8EB4206399E886D9EA30E1F59760B879C4215 + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB406E93B6167B59FAFBABD53228824812266C8B230 + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424278F56D0A6EA7CA6694E73600CFA455A80DBE47C5C + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC5218F00400B85016F9985E334EE684FC994D40CE7A + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C0A9FFE09599EBAB6982D0FEE37AE848FEA17E63FF5 + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB72061E793FE24E74106470625604BF53F8459995DE + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF078747E0E96BB5E3E9BBD7DAA250C460A079F53A69F1C + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF9809718874C08E97701C3E0E054E146FDE54692A4C0 + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D3FF7DB085873B1A45E8EA74484CBEC9E8BD66585DC + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443C237619D5994ED2DC77E985A17213D289912BB48129 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717BD706096B2254256043167926F533DB27F8BBD1C029 + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676B76172316A48ADE74B88AC5566840787D0429841452 + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1E0F95A33301CFD9A561673FBFE9F2C3536A9A692A1 + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369F966A305733D3E08007A28C02E0955CE02B208320E + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F6CA426276ADD59E89FFC237F5B4CBAFE4F7E61F2D4 + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E415302672A529190393B31DA90FF91B600A7C5E925FD1F82ACF + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D185305737A045CAEDB141F15EBFABA8102C71BA6AC6D + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E74E8E5B8CFF545A456969718B2066A319015BE83B81 + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F15309C07F8C22BCE18445A4781B44F809C2A469FBE625 + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA07A525E92C818C8140C918CE2167253FCE27B09D2B23A + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD2BE5AB844796A076078236B5B5F98DAB5B76219087228 + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC422E1FAA5BCB1C5A2B5F337803E250689976F97CE63073 + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FEFD18BCB03A995783EE4BF242588524FF60968D982B3 + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377E7530B9A6EF57578BA91B847FB85FB8F6F8FA9F7C7C63 + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD1A2E7CBFA79893F231E30A2BC91DF6FDE04F8FDB2944 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEB77A94F80AF2DAA3F1B9846E08B2801460E992139354 + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA419034437F81135911191412F926A98C85F697DA3A8216 + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD82BB2529A94ED7BF826934A7E4DA8E045FB41852B977 + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0132555E62B8C2B3502973914BE72E634CE6E49FA6D408DA + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CEBD850771166ED88021EA6BDAC8815801BC0D2EC5E58 + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D396CBC96B802F74B3B204C033479636C5DC501254801 + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940089633C6A325ACCAAB14321714F22E3C841FBB7A623899D7 + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA3B85E08236303E07870C1D7E69E1736197EB09A0652C7 + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A468384EAE8EB42006CE8D1177B47D62A26B6862C0ECE9B11 + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB406E93B613ADBCCC085D2D58E82C0C4E2D2E20A3139 + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424278F56D0A6F2CE9D18014BDEE2A32541F81FA3F2E541 + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC5218F004005F7106D95552314B57C3748FE88ECA7AA5 + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C0A9FFE0959E013729C7F8B7C4DE14A61C23E3FAC6FE1 + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB72061E793FCA9E5CE8BE20FA5635A4FD67CC5D7507AB + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF078747E0E96BB671A006B34EE08523E1F85E4FC22B43B6F + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF9809718874CF5860ECC6B1FEABE9338E462B7244C7F43 + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D3FF7DB08583203CA49319653553166F6EF221DF25956 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443C237619D5990FB35E883717C82613E0301BDF6C7FA4F8 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717BD706096B22D7BA489CE5EECEDA17D23F506FDFF38BA6 + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676B76172316A4872F2E153C15BF67C67298DAE65C7BDC25 + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1E0F95A333028C134A78C89EF9CBBE6D22F035145FEE6 + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369F966A30573954F2821B027A6657E04F39B536ACA29E7 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F6CA426276A97F4DE5621B5703DEC26F9E56B5EABE2A5 + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E415302672A5291903934515D80AC0203C4FF950B27C9131673ADA + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D185305737A044A16A3F3246EE585C930795DF27E75D4E5 + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E74E8E5B8CFFBA58B781AA855200248D9EEE228A4D18FD + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F15309C07F8C22B77863311F4F4C373F0EA2BC267E58770E + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = 3A2349E46356665E40D1D0787DD30F019BE46C21A06A49CEA07A525E92C818B789F53A240FC31EA16056727515FCE752 + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = 7B6F012D69E59228069B07D18C50401783D0EA45221FA79AD2BE5AB844796AE271024BC54D5EAC99F76F552DF8C8FC26 + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = E5D31FC8CDD2BEA8F41AF1B8381F9CBC9A539C9F4ED7A7BC422E1FAA5BCB1C6FCC1B62C892E2B2F566C05EBA093B18E9 + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = 07E31194EF51368D52059D36DFD98F12A0E71FE4E7E97ED06FEFD18BCB03A90B0EEB943B4DCCF4BF8A38F1B7B6D6AF3A + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = CC513B823C2721DEC1A7F8AB5F3DBD85F7ECF4BFA28BD3377E7530B9A6EF571693FB1A9D88EA2A8E3A26B83A30E0E0CE + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = FD27D5B5C12A4E1F8EDCF76286192189136DB6AAFB6FF315BD1A2E7CBFA798160934A82B53F8A0C5F6F86616C93240D0 + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = A7564530AF1D9C050C242B3A3C0ACE20810866472B537E1DFEB77A94F80AF200904744C07D24966A852057173AF4A095 + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = A2A896553337179490B38891BEF1CCFD05FC1A1189CCADFA419034437F8113FBEC09F18C648C115FC0280C4B0C68CCC5 + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = 1FF84F15729386B161A0CE3F760AE7E0BD152AD381C75897AD82BB2529A94EEA3B46DA554F260C47E05CB9D75CE247AB + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = 807D5D994486FF78A52D691651A9D1C74325C442E1B76D0132555E62B8C2B3838DBD0D9E8822982256F9CD4C366EA9BA + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = C85CA416C27D76FECFDED1E99B9F4A4F56762FAF87BDB0893CEBD850771166AEC765DC6C8670AFB83F356DA57381487F + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = 7BB05D48871BCD378F27F9BDA1217D6E17A3D2DCA9AF6BDC0D396CBC96B802FB4FABA9BC730C2A458917F2FF65F5791F + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = BC2F7866890E9B6A96E55632F4FA352DBB8E00A5E1C940089633C6A325ACCA10903314ADC9190B3BA3213188AEA768E7 + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = 91F9F5F1CD509772479335072E1CE0D92F5B8559EDB3183BA3B85E08236303010218115FBCB6863DDC60518836ED2B3A + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = 465F38DDA3949D2DD58FB77526F7AB4825233BF718464A468384EAE8EB420088EA55397F51FEA7CE44EF39205F61B5F6 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = 4DC7C270F068AAAB94CB893A1C54D8915224B4575F5A09A76EB406E93B613A4E86B9A2575D400A698EAF0DB1B3683827 + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = 7DD27A06613F2CF4B10E24BA14AC8326330288D51F17107424278F56D0A6F21E502352CAB130B49DC4528A5B6FA8DEAE + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7775A0D32FC813794D909C31B677D40C7D2A7C6B978DDF09EC5218F004005FF6F7DC1E202B1A8C094883DC3B34AF2F5A + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C02A1B8880E0C1646BB71BB812E71B0DBADDD094FCE3AE5C3C0A9FFE0959E03067CB8C3AAC93A5F11F87C067532ABA37 + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5354BF538DC71F638B7081C9095D4EB248BCC1FE221EFA06CB72061E793FCAB49CC08152211EB3137486594CA9AF01FE + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 3BC0870CC5612B3D639FDE273FAF3D20E3586B6ADC683EF078747E0E96BB672BA1BFEEBD56D51E98BB694A7ACFC1F14F + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B7D7BA2F839FFB2BE611B5D20B8F5E8FE772027C7ACFBE7EF9809718874CF557C71146CEBBA9721360CA6D9F14F2FD3B + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = A528C33B75E4C3DB416394882994D2AFA5D21C60373C4F381D3FF7DB08583255ACD3B72537E4EC3992DBB601A6BC5159 + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1508DEC4EED6EA6FDCB1292CCE2A73CFB1A84266B724F2443C237619D5990F135BB14B6007001D109C22E37338A4C4F8 + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 4DAAD2227BD9319053F4D3171D9970D1169BDB49ACB837717BD706096B22D7378DD541E6836E4E85D89F0B55782061DE + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = CAA588C0802B83F2FCB3799532D73E5247C8ADE43A7BC4676B76172316A48786DDEFE0FB481C1D86F298924B7CD0A8F8 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 8D070D8594EBCFCC2DE20FD3BD433B6419E125A388181CB2A1E0F95A333028A4260A96FBB409C467C2A832A9748C1920 + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 29126565DBFE01326628A711910A1495554E168E64E6C30369F966A3057395044689EBF9E649CE682682E57F5D013EFF + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = CAD2EAE58F8EAB4F040ADB3B378DBAE97B7C8F13C8B88E5F0F6CA426276A978B52AED52E94C0DB36560545A9CCB27F61 + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8A710305BADF747BC5C66E099DA16A730F39E0E6E415302672A52919039345D0A74FD6D9081327F2FDE63044A7F8F26A + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = ED7D2B2B4BB0FF69D6A916802AC0560923C1EA87C19B880D185305737A044A701F1B510A210B1B40BAA4BE0F81DFA3A5 + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = D578749BC21BAA6DC83FBE93DB5AE0A9FF4A8BF77AC17FB3E74E8E5B8CFFBAD3CA79EB6EEB77D53B9FCFD0EB9296F0F6 + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75E58B469737D7CEF3ABC68D345033CD8C02F3E51B3D05F15309C07F8C22B7165DF71D3707748A21429311C29D748D49 + diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/config.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/config.h new file mode 100644 index 0000000..6d19c18 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/endian.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/forceinline.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/round.h new file mode 100644 index 0000000..772d7f2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/round.h @@ -0,0 +1,46 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint64_t C) { + state_t t; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; + /* linear layer */ + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/architectures b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/config.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/config.h new file mode 100644 index 0000000..6d19c18 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/endian.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/round.h new file mode 100644 index 0000000..a52ca55 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/round.h @@ -0,0 +1,229 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/architectures b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/config.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/config.h new file mode 100644 index 0000000..530c3ad --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/round.h new file mode 100644 index 0000000..76679e7 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/round.h @@ -0,0 +1,325 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "ldrb %[tmp2], [%[tmp1], #0]\n\t" + "push {%[tmp0]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" + "ldrb %[tmp2], [%[tmp1], #1]\n\t" + "add %[tmp1], %[tmp1], #2\n\t" + "movs %[tmp0], %[x2_h]\n\t" + "push {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "pop {%[tmp1]}\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "pop {%[tmp0]}\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + "cmp %[tmp1], %[tmp0]\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "+l"(E), [ tmp2 ] "=l"(tmp1) + : + :); + printstate(" round output", s); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp1], %[C_e]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "movs %[x0_l], %[C_o]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C_e ] "ri"((uint32_t)C), [ C_o ] "ri"((uint32_t)(C >> 32)) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv6m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/architectures b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/config.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/config.h new file mode 100644 index 0000000..4338d29 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/config.h new file mode 100644 index 0000000..b6ab257 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_armv7m_small/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/config.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/config.h new file mode 100644 index 0000000..08d2df0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/endian.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/forceinline.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/round.h new file mode 100644 index 0000000..2b8d9f1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + /* linear layer */ + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowreg/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/config.h new file mode 100644 index 0000000..b6ab257 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/round.h new file mode 100644 index 0000000..2b8d9f1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + /* linear layer */ + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/bi32_lowsize/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/api.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/ascon.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/ascon.h new file mode 100644 index 0000000..78a7c27 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/ascon.h @@ -0,0 +1,10 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +typedef struct { + uint64_t x[5]; +} state_t; + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/constants.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/constants.h new file mode 100644 index 0000000..928d252 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/constants.h @@ -0,0 +1,81 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/encrypt.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/encrypt.c new file mode 100644 index 0000000..e1e879c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/encrypt.c @@ -0,0 +1,218 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" +#include "word.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + + /* load key and nonce */ + const uint64_t K0 = LOADBYTES(k, 8); + const uint64_t K1 = LOADBYTES(k + 8, 8); + const uint64_t N0 = LOADBYTES(npub, 8); + const uint64_t N1 = LOADBYTES(npub + 8, 8); + + /* initialize */ + state_t s; + s.x[0] = ASCON_128A_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); + + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_128A_RATE) { + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, 8); + printstate("absorb adata", &s); + P8(&s); + ad += ASCON_128A_RATE; + adlen -= ASCON_128A_RATE; + } + /* final associated data block */ + if (adlen >= 8) { + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, adlen - 8); + s.x[1] ^= PAD(adlen - 8); + } else { + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + } + printstate("pad adata", &s); + P8(&s); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + + /* full plaintext blocks */ + while (mlen >= ASCON_128A_RATE) { + s.x[0] ^= LOADBYTES(m, 8); + s.x[1] ^= LOADBYTES(m + 8, 8); + STOREBYTES(c, s.x[0], 8); + STOREBYTES(c + 8, s.x[1], 8); + printstate("absorb plaintext", &s); + P8(&s); + m += ASCON_128A_RATE; + c += ASCON_128A_RATE; + mlen -= ASCON_128A_RATE; + } + /* final plaintext block */ + if (mlen >= 8) { + s.x[0] ^= LOADBYTES(m, 8); + s.x[1] ^= LOADBYTES(m + 8, mlen - 8); + STOREBYTES(c, s.x[0], 8); + STOREBYTES(c + 8, s.x[1], mlen - 8); + s.x[1] ^= PAD(mlen - 8); + } else { + s.x[0] ^= LOADBYTES(m, mlen); + STOREBYTES(c, s.x[0], mlen); + s.x[0] ^= PAD(mlen); + } + c += mlen; + printstate("pad plaintext", &s); + + /* finalize */ + s.x[2] ^= K0; + s.x[3] ^= K1; + printstate("final 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); + + /* set tag */ + STOREBYTES(c, s.x[3], 8); + STOREBYTES(c + 8, s.x[4], 8); + + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + + if (clen < CRYPTO_ABYTES) return -1; + + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + + /* load key and nonce */ + const uint64_t K0 = LOADBYTES(k, 8); + const uint64_t K1 = LOADBYTES(k + 8, 8); + const uint64_t N0 = LOADBYTES(npub, 8); + const uint64_t N1 = LOADBYTES(npub + 8, 8); + + /* initialize */ + state_t s; + s.x[0] = ASCON_128A_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); + + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_128A_RATE) { + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, 8); + printstate("absorb adata", &s); + P8(&s); + ad += ASCON_128A_RATE; + adlen -= ASCON_128A_RATE; + } + /* final associated data block */ + if (adlen >= 8) { + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, adlen - 8); + s.x[1] ^= PAD(adlen - 8); + } else { + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + } + printstate("pad adata", &s); + P8(&s); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + + /* full ciphertext blocks */ + clen -= CRYPTO_ABYTES; + while (clen >= ASCON_128A_RATE) { + uint64_t c0 = LOADBYTES(c, 8); + uint64_t c1 = LOADBYTES(c + 8, 8); + STOREBYTES(m, s.x[0] ^ c0, 8); + STOREBYTES(m + 8, s.x[1] ^ c1, 8); + s.x[0] = c0; + s.x[1] = c1; + printstate("insert ciphertext", &s); + P8(&s); + m += ASCON_128A_RATE; + c += ASCON_128A_RATE; + clen -= ASCON_128A_RATE; + } + /* final ciphertext block */ + if (clen >= 8) { + uint64_t c0 = LOADBYTES(c, 8); + uint64_t c1 = LOADBYTES(c + 8, clen - 8); + STOREBYTES(m, s.x[0] ^ c0, 8); + STOREBYTES(m + 8, s.x[1] ^ c1, clen - 8); + s.x[0] = c0; + s.x[1] = CLEARBYTES(s.x[1], clen - 8); + s.x[1] |= c1; + s.x[1] ^= PAD(clen - 8); + } else { + uint64_t c0 = LOADBYTES(c, clen); + STOREBYTES(m, s.x[0] ^ c0, clen); + s.x[0] = CLEARBYTES(s.x[0], clen); + s.x[0] |= c0; + s.x[0] ^= PAD(clen); + } + c += clen; + printstate("pad ciphertext", &s); + + /* finalize */ + s.x[2] ^= K0; + s.x[3] ^= K1; + printstate("final 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); + + /* set tag */ + uint8_t t[16]; + STOREBYTES(t, s.x[3], 8); + STOREBYTES(t + 8, s.x[4], 8); + + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= c[i] ^ t[i]; + result = (((result - 1) >> 8) & 1) - 1; + + return result; +} diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constindex b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/implementors b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/permutations.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/permutations.h new file mode 100644 index 0000000..2a5d923 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/permutations.h @@ -0,0 +1,46 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "ascon.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +static inline void P12(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +static inline void P8(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +static inline void P6(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.c b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/round.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/round.h new file mode 100644 index 0000000..3653746 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/round.h @@ -0,0 +1,50 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +static inline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +static inline uint64_t ROR(uint64_t x, int n) { + uint32_t al = (uint32_t)x; + uint32_t ah = x >> 32; + uint32_t bl, bh; + bl = (n % 2) ? ROR32(ah, (n - 1) / 2) : ROR32(al, n / 2); + bh = (n % 2) ? ROR32(al, (n + 1) / 2) : ROR32(ah, n / 2); + return (uint64_t)bh << 32 | bl; +} + +static inline void ROUND(state_t* s, uint64_t C) { + state_t t; + /* addition of round constant */ + s->x[2] ^= C; + /* printstate(" round constant", s); */ + /* substitution layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + /* start of keccak s-box */ + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + /* end of keccak s-box */ + t.x[1] ^= t.x[0]; + t.x[0] ^= t.x[4]; + t.x[3] ^= t.x[2]; + t.x[2] = ~t.x[2]; + /* printstate(" substitution layer", &t); */ + /* linear diffusion layer */ + s->x[0] = t.x[0] ^ ROR(t.x[0], 19) ^ ROR(t.x[0], 28); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61) ^ ROR(t.x[1], 39); + s->x[2] = t.x[2] ^ ROR(t.x[2], 1) ^ ROR(t.x[2], 6); + s->x[3] = t.x[3] ^ ROR(t.x[3], 10) ^ ROR(t.x[3], 17); + s->x[4] = t.x[4] ^ ROR(t.x[4], 7) ^ ROR(t.x[4], 41); + printstate(" round output", s); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/word.h b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/word.h new file mode 100644 index 0000000..3157950 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128abi32v12/ref/word.h @@ -0,0 +1,36 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +typedef uint64_t uint64_t; + +/* get byte from 64-bit Ascon word */ +#define GETBYTE(x, i) ((uint8_t)((uint64_t)(x) >> (56 - 8 * (i)))) + +/* set byte in 64-bit Ascon word */ +#define SETBYTE(b, i) ((uint64_t)(b) << (56 - 8 * (i))) + +/* set padding byte in 64-bit Ascon word */ +#define PAD(i) SETBYTE(0x80, i) + +/* load bytes into 64-bit Ascon word */ +static inline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + for (int i = 0; i < n; ++i) x |= SETBYTE(bytes[i], i); + return x; +} + +/* store bytes from 64-bit Ascon word */ +static inline void STOREBYTES(uint8_t* bytes, uint64_t x, int n) { + for (int i = 0; i < n; ++i) bytes[i] = GETBYTE(x, i); +} + +/* clear bytes in 64-bit Ascon word */ +static inline uint64_t CLEARBYTES(uint64_t x, int n) { + for (int i = 0; i < n; ++i) x &= ~SETBYTE(0xff, i); + return x; +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/api.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/architectures b/ascon/Implementations/crypto_aead/ascon128av12/armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/config.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/config.h new file mode 100644 index 0000000..99d7b54 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/implementors b/ascon/Implementations/crypto_aead/ascon128av12/armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/round.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/round.h new file mode 100644 index 0000000..cdc6a38 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/round.h @@ -0,0 +1,283 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6/word.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/round.h new file mode 100644 index 0000000..cdc6a38 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/round.h @@ -0,0 +1,283 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/api.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/architectures b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/config.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/config.h new file mode 100644 index 0000000..0ac7395 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/implementors b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/round.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/round.h new file mode 100644 index 0000000..92b9712 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/round.h @@ -0,0 +1,347 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "push {%[tmp1]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "pop {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + "sub %[tmp1], %[tmp1], #15\n\t" + "cmp %[tmp1], #60\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "=l"(tmp0), [ tmp2 ] "=l"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp0], %[C]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C ] "ri"(C) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m/word.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/round.h new file mode 100644 index 0000000..92b9712 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/round.h @@ -0,0 +1,347 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "push {%[tmp1]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "pop {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + "sub %[tmp1], %[tmp1], #15\n\t" + "cmp %[tmp1], #60\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "=l"(tmp0), [ tmp2 ] "=l"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp0], %[C]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C ] "ri"(C) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv6m_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/api.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/architectures b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/config.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/config.h new file mode 100644 index 0000000..99d7b54 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/implementors b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/round.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m/word.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/armv7m_small/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/api.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.S b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.S new file mode 100644 index 0000000..35eff96 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.S @@ -0,0 +1,545 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128a +#define RATE 16 +#define PA_ROUNDS 12 +#define PA_START_ROUND ascon_start_round_a +#define PB_ROUNDS 8 +#define PB_START_ROUND ascon_start_round_b +#define IVe 0x200000 +#define IVo 0x88220000 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xor \t0, \x1, \x2 + orn \x4, \x3, \x4 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + andn \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear_odd_odd de, do, se, so, r0, r1, t0, t1 + rori \t0, \so, ((\r0 - \r1) / 2) + rori \t1, \se, ((\r0 - \r1) / 2) + xor \t0, \t0, \so + xor \t1, \t1, \se + rori \t0, \t0, ((\r1 - 1) / 2) + rori \t1, \t1, ((\r1 + 1) / 2) + xor \de, \se, \t0 + xor \do, \so, \t1 +.endm + +.macro linear_odd_even de, do, se, so, r0, r1, t0, t1 + .if (\r0 > 1) + rori \t0, \so, ((\r0 - 1) / 2) + xor \t0, \t0, \se + .else + xor \t0, \so, \se + .endif + rori \t1, \se, ((\r0 + 1) / 2) + xor \t1, \t1, \so + rori \se, \se, (\r1 / 2) + rori \so, \so, (\r1 / 2) + xor \de, \se, \t0 + xor \do, \so, \t1 +.endm + +.macro linear de, do, se, so, r0, r1, t0, t1 + .if (\r0 < \r1) + linear \de, \do, \se, \so, \r1, \r0, \t0, \t1 + .elseif ((\r0 % 2) == 0) + linear_odd_even \de, \do, \se, \so, \r1, \r0, \t0, \t1 + .elseif ((\r1 % 2) == 0) + linear_odd_even \de, \do, \se, \so, \r0, \r1, \t0, \t1 + .else + linear_odd_odd \de, \do, \se, \so, \r0, \r1, \t0, \t1 + .endif +.endm + +.section .data +.align 2 +.global ascon_round_constants +.type ascon_round_constants,@object +ascon_round_constants: +ascon_start_round_a: + .byte 0xc, 0xc + .byte 0x9, 0xc + .byte 0xc, 0x9 + .byte 0x9, 0x9 +ascon_start_round_b: + .byte 0x6, 0xc + .byte 0x3, 0xc + .byte 0x6, 0x9 + .byte 0x3, 0x9 + .byte 0xc, 0x6 + .byte 0x9, 0x6 + .byte 0xc, 0x3 + .byte 0x9, 0x3 + .byte 0x0 + +.section .text +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant ptr in t1 + # temporaries in t3, t4, t5 + # link register in t0 + j .LPloopcond +.LPloop: + # round constant + xor x2l, x2l, t2 + lbu t2, 1(t1) + xor x2h, x2h, t2 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, 19, 28, x0l, x0h + linear x2l, x2h, x4l, x4h, 1, 6, x2l, x2h + linear x4l, x4h, x1l, x1h, 7, 41, x4l, x4h + linear x1l, x1h, x3l, x3h, 61, 39, x1l, x1h + linear x3l, x3h, t0l, t0h, 10, 17, x3l, x3h + + # condition + addi t1, t1, 2 +.LPloopcond: + lbu t2, 0(t1) + bne t2, zero, .LPloop + +.LPend: + jalr zero, 0(t0) + +.macro to_bi32_rev8 de, do, xl, xh, t0 + rev8 \t0, \xl + rev8 \do, \xh + unzip \t0, \t0 + unzip \do, \do + pack \de, \t0, \do + packu \do, \t0, \do +.endm + +.macro from_bi32_rev8 dl, dh, xe, xo, t0 + pack \t0, \xe, \xo + packu \dh, \xe, \xo + zip \dl, \t0 + zip \dh, \dh + rev8 \dl, \dl + rev8 \dh, \dh +.endm + +.align 4 +.globl ascon_to_bi32_rev8 +.type ascon_to_bi32_rev8,@function +ascon_to_bi32_rev8: + # ascon bytereverse and bi32 one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + to_bi32_rev8 t0l, t0h, t0l, t0h, t1 + to_bi32_rev8 t1l, t1h, t1l, t1h, t1 + jalr zero, 0(t0) + +.align 4 +.globl ascon_from_bi32_rev8 +.type ascon_from_bi32_rev8,@function +ascon_from_bi32_rev8: + # ascon bytereverse and inverse bi32 one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + from_bi32_rev8 t0l, t0h, t0l, t0h, t1 + from_bi32_rev8 t1l, t1h, t1l, t1h, t1 + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + lw t1h, 8(iptr) + lw t1l, 12(iptr) + jal t0, ascon_to_bi32_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + from_bi32_rev8 t0, t1, x0l, x0h, t2 + sw t1, 0(optr) + sw t0, 4(optr) + from_bi32_rev8 t0, t1, x1l, x1h, t2 + sw t1, 8(optr) + sw t0, 12(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDpermute: + la t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + sw zero, 8(sp) + sw zero, 12(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_to_bi32_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + mv t1h, x1h + mv t1l, x1l + jal t0, ascon_from_bi32_rev8 + sw t0h, 0(sp) + sw t0l, 4(sp) + sw t1h, 8(sp) + sw t1l, 12(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_to_bi32_rev8 + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1, t2, t3 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + sub \t2, zero, \t1 + srl \x1, \x1, \t1 + sll \t3, \x2, \t2 + or \x1, \x1, \t3 + srl \x2, \x2, \t1 + sll \t3, \x3, \t2 + or \x2, \x2, \t3 + srl \x3, \x3, \t1 + sll \t3, \x4, \t2 + or \x3, \x3, \t3 + srl \x4, \x4, \t1 + sll \t3, \t0, \t2 + or \x4, \x4, \t3 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_to_bi32_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_to_bi32_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVo + li x0l, IVe + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + la t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + la t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x2h, x2h, k0h + xor x2l, x2l, k0l + xor x3h, x3h, k1h + xor x3l, x3l, k1l + + la t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1, t2, k0h + jal t0, ascon_to_bi32_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_from_bi32_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/decrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/implementors b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_bi32_rv32b/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/api.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.S b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.S new file mode 100644 index 0000000..4dbdf15 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.S @@ -0,0 +1,544 @@ +#include +#include "api.h" + +## REGISTER ALLOCATION +#define t0h a4 +#define t0l a5 +#define x0h a6 +#define x0l a7 +#define x1h a8 +#define x1l a9 +#define x2h a10 +#define x2l a11 +#define x3h a12 +#define x3l a13 +#define x4h a14 +#define x4l a15 +## OVERLAPPING REGISTER ALLOCATION +#define optr x2h +#define iptr x2l +#define ilen x3h +#define mode x3l +#define t1h x4h +#define t1l x4l + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | optr | optr | optr | optr | +## 12 | \---- | iptr | iptr | iptr cur | iptr cur | +## 16 | state x2h | state x2h | state x2h | | | +## 20 | | x2l | | x2l | | x2l | state x2l | state x2l | +## 24 | | x3h | | x3h | | x3h | \---- x3h | \---- x3h | +## 28 | | x3l | \---- x3l | \---- x3l | | | +## 32 | | x4h | ilen | ilen | ilen cur | ilen cur | +## 36 | \---- x4l | mode cur | mode cur | olen | olen | +## 40 | key k0h | key k0h | key k1h | | | +## 44 | | k0l | | k0l | | k1l | lr | lr | +## 48 | | k1h | | k1h | | k2h +------------+-----------+ +## 52 | \---- k1l | \---- k1l | | k2l | +## 56 | | | \---- k0h | +## 60 | optr cur | optr cur | optr cur | +## 64 | iptr cur | iptr cur | iptr cur | +## 68 | ilen cur | ilen cur | ilen cur | +## 72 | mode cur | lr2 | lr2 | +## 76 | optr | lr | lr | +## 80 | iptr +-----------+-----------+ +## 84 | ilen | | | +## 88 | lr2 | | | +## 92 | lr +-----------+-----------+ +## 96 +-----------+ kptr arg | kptr arg | +## 100 | | mode arg | mode arg | +## 104 | +-----------+-----------+ +## 108 +-----------+ +## 112 | kptr arg | +## 116 | mode arg | +## 120 +-----------+ + +## ASCON128a +#define RATE 16 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 8 +#define PB_START_ROUND 0xb4 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_state 16 +#define S_key 40 +#define S_optr_cur 60 +#define S_iptr_cur 64 +#define S_ilen_cur 68 +#define S_mode_cur 72 +#define S_optr 76 +#define S_iptr 80 +#define S_ilen 84 +#define S_lr2 88 +#define S_lr 92 +#define S_kptr_arg 112 +#define S_mode_arg 116 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t2, \x3, \x4 + xor \t1, \x0, \x4 + movi \t0, -1 + xor \x4, \x4, \t0 + xor \t0, \x1, \x2 + or \x4, \x4, \x3 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + and \t1, \t1, \x1 + xor \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + ssai \r0 + src \dl, \sh0, \sl0 + src \dh, \sl0, \sh0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh + ssai \r1 + src \t0, \sh1, \sl1 + src \sh, \sl1, \sh1 + xor \dl, \dl, \t0 + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in a6 .. a9 and sp + 16 .. sp + 36 + # start round in a2 + # temporaries in a3, a4, a5 + l32i x2h, a1, (S_state + 0) + l32i x2l, a1, (S_state + 4) + l32i x3h, a1, (S_state + 8) + l32i x3l, a1, (S_state + 12) + l32i x4h, a1, (S_state + 16) + l32i x4l, a1, (S_state + 20) +.align 4 +.globl ascon_permute_noload +.type ascon_permute_noload,@function +ascon_permute_noload: + # state in a6 .. a15 + # start round constant in a2 + # round count in a3 + # temporaries in a3, a4, a5 + + # ESP32 zero-overhead looping + floop a3, Ploop +.LPloop: + # round constant + xor x2l, x2l, a2 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, a3 + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, a3 + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, a3 + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, a3 + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, a3 + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, a3 + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, a3 + + # condition + addi a2, a2, -15 + + floopend a3, Ploop +.LPend: + s32i x2h, a1, (S_state + 0) + s32i x2l, a1, (S_state + 4) + s32i x3h, a1, (S_state + 8) + s32i x3l, a1, (S_state + 12) + s32i x4h, a1, (S_state + 16) + s32i x4l, a1, (S_state + 20) + ret + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in a4, a5, a14, a15 + # temporaries in a2 + ssai 8 + srli a2, t1h, 16 + src a2, a2, t1h + src a2, a2, a2 + src t1h, t1h, a2 + + srli a2, t1l, 16 + src a2, a2, t1l + src a2, a2, a2 + src t1l, t1l, a2 + + srli a2, t0h, 16 + src a2, a2, t0h + src a2, a2, a2 + src t0h, t0h, a2 + + srli a2, t0l, 16 + src a2, a2, t0l + src a2, a2, a2 + src t0l, t0l, a2 + + ret + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in a2 + # src in a3 + # temporaries in a4, a5 + movi a4, 0 + j .LMcond +.LMloop: + l8ui a5, a3, 0 + s8i a5, a2, 0 + addi a2, a2, 1 + addi a3, a3, 1 + addi a4, a4, 1 +.LMcond: + bltu a4, ilen, .LMloop +.LMend: + ret + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + s32i a0, a1, S_lr2 + j .LDcond + +.LDloop: + l32i t0h, iptr, 0 + l32i t0l, iptr, 4 + l32i t1h, iptr, 8 + l32i t1l, iptr, 12 + call0 ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDsqueeze: + beqz a13, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + ssai 8 + srli a2, x0h, 16 + src a2, a2, x0h + src a2, a2, a2 + src a2, x0h, a2 + s32i a2, optr, 0 + + srli a2, x0l, 16 + src a2, a2, x0l + src a2, a2, a2 + src a2, x0l, a2 + s32i a2, optr, 4 + + srli a2, x1h, 16 + src a2, a2, x1h + src a2, a2, a2 + src a2, x1h, a2 + s32i a2, optr, 8 + + srli a2, x1l, 16 + src a2, a2, x1l + src a2, a2, a2 + src a2, x1l, a2 + s32i a2, optr, 12 + +.LDreset: + bgez mode, .LDpermute + mov x0h, t0h + mov x0l, t0l + mov x1h, t1h + mov x1l, t1l + +.LDpermute: + s32i optr, a1, S_optr_cur + s32i iptr, a1, S_iptr_cur + s32i ilen, a1, S_ilen_cur + movi a2, PB_START_ROUND + movi a3, PB_ROUNDS + call0 ascon_permute + l32i optr, a1, S_optr_cur + l32i iptr, a1, S_iptr_cur + l32i ilen, a1, S_ilen_cur + l32i mode, a1, S_mode_cur + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + bgeui ilen, RATE, .LDloop + +.LDend: + movi a2, 0 + s32i a2, a1, 0 + s32i a2, a1, 4 + s32i a2, a1, 8 + s32i a2, a1, 12 + + mov a2, a1 + mov a3, iptr + call0 ascon_memcpy + + movi a4, 0x80 + add a2, a1, ilen + l8ui a3, a2, 0 + xor a3, a3, a4 + s8i a3, a2, 0 + + l32i t0h, a1, 0 + l32i t0l, a1, 4 + l32i t1h, a1, 8 + l32i t1l, a1, 12 + call0 ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDendsqueeze: + beqz mode, .LDendreset + + mov t0h, x0h + mov t0l, x0l + mov t1h, x1h + mov t1l, x1l + call0 ascon_rev8 + s32i t0h, a1, 0 + s32i t0l, a1, 4 + s32i t1h, a1, 8 + s32i t1l, a1, 12 + + mov a2, optr + mov a3, a1 + call0 ascon_memcpy + +.LDendreset: + bgez mode, .LDreturn + + mov a2, a1 + mov a3, iptr + call0 ascon_memcpy + + l32i t0h, a1, 0 + l32i t0l, a1, 4 + l32i t1h, a1, 8 + l32i t1l, a1, 12 + call0 ascon_rev8 + mov x0h, t0h + mov x0l, t0l + mov x1h, t1h + mov x1l, t1l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + l32i a0, a1, S_lr2 + ret + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + abi_entry 96, 4 + s32i a0, a1, S_lr + s32i a2, a1, S_optr + s32i a3, a1, S_iptr + s32i a4, a1, S_ilen + s32i a5, a1, S_iptr_cur + s32i a6, a1, S_ilen_cur + + # load key + l32i a2, a1, S_kptr_arg + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + s32i t0h, a1, (S_key + 0) + s32i t0l, a1, (S_key + 4) + s32i t1h, a1, (S_key + 8) + s32i t1l, a1, (S_key + 12) + mov x1h, t0h + mov x1l, t0l + mov x2h, t1h + mov x2l, t1l + + # load nonce + # a7 is not clobbered by ascon_rev8 + # a7 does not overlap x1, x2, t0, or t1 + # x4 overlaps t1, move unnecessary + mov a2, a7 + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + mov x3h, t0h + mov x3l, t0l + + # load IV + # this clobbers a7 + movi x0h, IVh + movi x0l, IVl + + movi a2, PA_START_ROUND + movi a3, PA_ROUNDS + call0 ascon_permute_noload + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x3h, x3h, t0h + xor x3l, x3l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x4h, x4h, t0h + xor x4l, x4l, t0l + + # save state + s32i x2h, a1, (S_state + 0) + s32i x2l, a1, (S_state + 4) + s32i x3h, a1, (S_state + 8) + s32i x3l, a1, (S_state + 12) + s32i x4h, a1, (S_state + 16) + s32i x4l, a1, (S_state + 20) + + l32i ilen, a1, S_ilen_cur + beqz ilen, .LCskipad + + l32i iptr, a1, S_iptr_cur + movi mode, 0 + s32i mode, a1, S_mode_cur + call0 ascon_duplex + + movi a2, PB_START_ROUND + movi a3, PB_ROUNDS + call0 ascon_permute + +.LCskipad: + movi a2, 1 + xor x4l, x4l, a2 + s32i x4l, a1, (S_state + 20) + + l32i optr, a1, S_optr + l32i iptr, a1, S_iptr + l32i ilen, a1, S_ilen + l8ui mode, a1, S_mode_arg + sext mode, mode, 7 + s32i mode, a1, S_mode_cur + call0 ascon_duplex + s32i optr, a1, S_optr_cur + s32i iptr, a1, S_iptr_cur + + # restore state + l32i x2h, a1, (S_state + 0) + l32i x2l, a1, (S_state + 4) + l32i x3h, a1, (S_state + 8) + l32i x3l, a1, (S_state + 12) + l32i x4h, a1, (S_state + 16) + l32i x4l, a1, (S_state + 20) + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x2h, x2h, t0h + xor x2l, x2l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x3h, x3h, t0h + xor x3l, x3l, t0l + + movi a2, PA_START_ROUND + movi a3, PA_ROUNDS + call0 ascon_permute_noload + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x3h, x3h, t0h + xor x3l, x3l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x4h, x4h, t0h + xor x4l, x4l, t0l + + l32i a2, a1, S_mode_cur + bgez a2, .LCencrypt +.LCdecrypt: + + # save x4 into x0 + # x0 is no longer needed + # x4 overlaps t1 + mov x0h, x4h + mov x0l, x4l + + l32i a2, a1, S_iptr_cur + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + + # check tag + # x4 is in x0 + xor a2, x3h, t0h + xor a3, x3l, t0l + xor a2, a2, a3 + xor a3, x0h, t1h + xor a2, a2, a3 + xor a3, x0l, t1l + xor a2, a2, a3 + + beqz a2, .LCzeroreturn + movi a2, -1 + j .LCreturn +.LCencrypt: + + # store tag + # x4 overlaps t1, move unnecessary + mov t0h, x3h + mov t0l, x3l + call0 ascon_rev8 + l32i a2, a1, S_optr_cur + s32i t0h, a2, 0 + s32i t0l, a2, 4 + s32i t1h, a2, 8 + s32i t1l, a2, 12 + +.LCzeroreturn: + movi a2, 0 +.LCreturn: + l32i a0, a1, S_lr + abi_return diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/decrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/implementors b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_esp32/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/api.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.S b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.S new file mode 100644 index 0000000..98417c0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.S @@ -0,0 +1,457 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128a +#define RATE 16 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 8 +#define PB_START_ROUND 0xb4 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xor \t0, \x1, \x2 + orn \x4, \x3, \x4 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + andn \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + fsri \dl, \sl0, \sh0, \r0 + fsri \dh, \sh0, \sl0, \r0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh + fsri \t0, \sl1, \sh1, \r1 + fsri \sh, \sh1, \sl1, \r1 + xor \dl, \dl, \t0 + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant in t1 + # temporaries in t3, t4, t5 + # link register in t0 + li t1l, 0x4b +.LPloop: + # round constant + xor x2l, x2l, t1 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, t1h + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, t1h + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, t1h + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, t1h + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, t1h + + # condition + addi t1, t1, -15 + bge t1, t1l, .LPloop + +.LPend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + rev8 t0h, t0h + rev8 t0l, t0l + rev8 t1h, t1h + rev8 t1l, t1l + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + lw t1h, 8(iptr) + lw t1l, 12(iptr) + jal t0, ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + rev8 t0, x0h + sw t0, 0(optr) + rev8 t0, x0l + sw t0, 4(optr) + rev8 t0, x1h + sw t0, 8(optr) + rev8 t0, x1l + sw t0, 12(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDpermute: + li t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + sw zero, 8(sp) + sw zero, 12(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + mv t1h, x1h + mv t1l, x1l + jal t0, ascon_rev8 + sw t0h, 0(sp) + sw t0l, 4(sp) + sw t1h, 8(sp) + sw t1l, 12(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_rev8 + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + fsr \x1, \x1, \x2, \t1 + fsr \x2, \x2, \x3, \t1 + fsr \x3, \x3, \x4, \t1 + fsr \x4, \x4, \t0, \t1 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVh + li x0l, IVl + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + li t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x2h, x2h, k0h + xor x2l, x2l, k0l + xor x3h, x3h, k1h + xor x3l, x3l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1 + jal t0, ascon_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/decrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/implementors b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_fsr_rv32b/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/api.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.S b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.S new file mode 100644 index 0000000..768062d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.S @@ -0,0 +1,474 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128a +#define RATE 16 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 8 +#define PB_START_ROUND 0xb4 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xor \t0, \x1, \x2 + orn \x4, \x3, \x4 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + andn \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + slli \dh, \sl0, (32 - \r0) + srli \t0, \sh0, \r0 + xor \dh, \dh, \t0 + slli \t0, \sl1, (32 - \r1) + xor \dh, \dh, \t0 + srli \t0, \sh1, \r1 + xor \dh, \dh, \t0 + slli \dl, \sh0, (32 - \r0) + srli \t0, \sl0, \r0 + xor \dl, \dl, \t0 + slli \t0, \sh1, (32 - \r1) + xor \dl, \dl, \t0 + srli \t0, \sl1, \r1 + xor \dl, \dl, \t0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant in t1 + # temporaries in t3, t4, t5 + # link register in t0 + li t1l, 0x4b +.LPloop: + # round constant + xor x2l, x2l, t1 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, t1h + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, t1h + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, t1h + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, t1h + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, t1h + + # condition + addi t1, t1, -15 + bge t1, t1l, .LPloop + +.LPend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + rev8 t0h, t0h + rev8 t0l, t0l + rev8 t1h, t1h + rev8 t1l, t1l + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + lw t1h, 8(iptr) + lw t1l, 12(iptr) + jal t0, ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + rev8 t0, x0h + sw t0, 0(optr) + rev8 t0, x0l + sw t0, 4(optr) + rev8 t0, x1h + sw t0, 8(optr) + rev8 t0, x1l + sw t0, 12(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDpermute: + li t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + sw zero, 8(sp) + sw zero, 12(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + mv t1h, x1h + mv t1l, x1l + jal t0, ascon_rev8 + sw t0h, 0(sp) + sw t0l, 4(sp) + sw t1h, 8(sp) + sw t1l, 12(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_rev8 + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1, t2, t3 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + sub \t2, zero, \t1 + srl \x1, \x1, \t1 + sll \t3, \x2, \t2 + or \x1, \x1, \t3 + srl \x2, \x2, \t1 + sll \t3, \x3, \t2 + or \x2, \x2, \t3 + srl \x3, \x3, \t1 + sll \t3, \x4, \t2 + or \x3, \x3, \t3 + srl \x4, \x4, \t1 + sll \t3, \t0, \t2 + or \x4, \x4, \t3 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVh + li x0l, IVl + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + li t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x2h, x2h, k0h + xor x2l, x2l, k0l + xor x3h, x3h, k1h + xor x3l, x3l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1, t2, k0h + jal t0, ascon_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/decrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/implementors b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32b/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/api.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.S b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.S new file mode 100644 index 0000000..c2ead4a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.S @@ -0,0 +1,488 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128a +#define RATE 16 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 8 +#define PB_START_ROUND 0xb4 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xori \x4, \x4, -1 + xor \t0, \x1, \x2 + or \x4, \x4, \x3 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + xori \t1, \t1, -1 + and \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + slli \dh, \sl0, (32 - \r0) + srli \t0, \sh0, \r0 + xor \dh, \dh, \t0 + slli \t0, \sl1, (32 - \r1) + xor \dh, \dh, \t0 + srli \t0, \sh1, \r1 + xor \dh, \dh, \t0 + slli \dl, \sh0, (32 - \r0) + srli \t0, \sl0, \r0 + xor \dl, \dl, \t0 + slli \t0, \sh1, (32 - \r1) + xor \dl, \dl, \t0 + srli \t0, \sl1, \r1 + xor \dl, \dl, \t0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant in t1 + # temporaries in t3, t4, t5 + # link register in t0 + li t1l, 0x4b +.LPloop: + # round constant + xor x2l, x2l, t1 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, t1h + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, t1h + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, t1h + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, t1h + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, t1h + + # condition + addi t1, t1, -15 + bge t1, t1l, .LPloop + +.LPend: + jalr zero, 0(t0) + +.macro rev8 d, x, t0, t1 + slli \t0, \x, 24 + srli \d, \x, 8 + or \d, \d, \t0 + srli \t0, \d, 16 + xor \t0, \t0, \d + andi \t0, \t0, 0xff + slli \t1, \t0, 16 + xor \t0, \t0, \t1 + xor \d, \d, \t0 +.endm + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + rev8 t0h, t0h, t1, t2 + rev8 t0l, t0l, t1, t2 + rev8 t1h, t1h, t1, t2 + rev8 t1l, t1l, t1, t2 + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + lw t1h, 8(iptr) + lw t1l, 12(iptr) + jal t0, ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + rev8 t0, x0h, t1, t2 + sw t0, 0(optr) + rev8 t0, x0l, t1, t2 + sw t0, 4(optr) + rev8 t0, x1h, t1, t2 + sw t0, 8(optr) + rev8 t0, x1l, t1, t2 + sw t0, 12(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDpermute: + li t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + sw zero, 8(sp) + sw zero, 12(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_rev8 + xor x0h, x0h, t0h + xor x0l, x0l, t0l + xor x1h, x1h, t1h + xor x1l, x1l, t1l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + mv t1h, x1h + mv t1l, x1l + jal t0, ascon_rev8 + sw t0h, 0(sp) + sw t0l, 4(sp) + sw t1h, 8(sp) + sw t1l, 12(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + lw t1h, 8(sp) + lw t1l, 12(sp) + jal t0, ascon_rev8 + mv x0h, t0h + mv x0l, t0l + mv x1h, t1h + mv x1l, t1l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1, t2, t3 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + sub \t2, zero, \t1 + srl \x1, \x1, \t1 + sll \t3, \x2, \t2 + or \x1, \x1, \t3 + srl \x2, \x2, \t1 + sll \t3, \x3, \t2 + or \x2, \x2, \t3 + srl \x3, \x3, \t1 + sll \t3, \x4, \t2 + or \x3, \x3, \t3 + srl \x4, \x4, \t1 + sll \t3, \t0, \t2 + or \x4, \x4, \t3 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVh + li x0l, IVl + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + li t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x2h, x2h, k0h + xor x2l, x2l, k0l + xor x3h, x3h, k1h + xor x3l, x3l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1, t2, k0h + jal t0, ascon_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/decrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/implementors b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/asm_rv32i/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/api.h b/ascon/Implementations/crypto_aead/ascon128av12/avx512/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/avx512/ascon.h index 7ead350..d29f5c2 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/ascon.h @@ -8,15 +8,21 @@ typedef union { __m512i z; - struct { - word_t x0, x1, x2, x3, x4, x5, x6, x7; - }; + uint64_t x[5]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} akey_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const akey_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const akey_t* k); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/avx512/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/avx512/encrypt.c new file mode 100644 index 0000000..4d28e3d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/encrypt.c @@ -0,0 +1,238 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#define AVX512_SHUFFLE_U64BIG \ + _mm512_set_epi8(-1, -1, -1, -1, -1, -1, -1, -1, /* word 7 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 6 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 5 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 4 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 3 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 2 */ \ + 8, 9, 10, 11, 12, 13, 14, 15, /* word 1 */ \ + 0, 1, 2, 3, 4, 5, 6, 7) /* word 0 */ + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(akey_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const akey_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const __m512i u64big = AVX512_SHUFFLE_U64BIG; + const int mask = (ASCON_AEAD_RATE == 8) ? 0xff : 0xffff; + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + state_t r = *s, t; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + t.z = _mm512_maskz_loadu_epi8(mask, ad); + t.z = _mm512_maskz_shuffle_epi8(mask, t.z, u64big); + r.z = _mm512_xor_epi64(r.z, t.z); + printstate("absorb adata", &r); + P(&r, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + *s = r; + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const __m512i u64big = AVX512_SHUFFLE_U64BIG; + const int mask = (ASCON_AEAD_RATE == 8) ? 0xff : 0xffff; + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + state_t r = *s, t; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + t.z = _mm512_maskz_loadu_epi8(mask, m); + t.z = _mm512_maskz_shuffle_epi8(mask, t.z, u64big); + r.z = _mm512_xor_epi64(r.z, t.z); + t.z = _mm512_maskz_shuffle_epi8(mask, r.z, u64big); + _mm512_mask_storeu_epi8(c, mask, t.z); + printstate("absorb plaintext", &r); + P(&r, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + *s = r; + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const __m512i u64big = AVX512_SHUFFLE_U64BIG; + const int mask = (ASCON_AEAD_RATE == 8) ? 0xff : 0xffff; + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + state_t r = *s, t, u; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + t.z = _mm512_maskz_loadu_epi8(mask, c); + t.z = _mm512_maskz_shuffle_epi8(mask, t.z, u64big); + r.z = _mm512_xor_epi64(r.z, t.z); + u.z = _mm512_maskz_shuffle_epi8(mask, r.z, u64big); + r.z = _mm512_mask_blend_epi8(mask, r.z, t.z); + _mm512_mask_storeu_epi8(m, mask, u.z); + printstate("insert ciphertext", &r); + P(&r, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + *s = r; + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const akey_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + akey_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + akey_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/round.h b/ascon/Implementations/crypto_aead/ascon128av12/avx512/round.h index 733d332..11d01ac 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/round.h @@ -4,21 +4,7 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint64_t C) { uint64_t x = 0; __mmask8 mxor1 = 0x15; __mmask8 mxor2 = 0x0b; @@ -48,4 +34,8 @@ forceinline void ROUND(state_t* s, word_t C) { printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + for (int i = START(nr); i != END; i += INC) ROUND(s, (i)); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/avx512/word.h b/ascon/Implementations/crypto_aead/ascon128av12/avx512/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/avx512/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/avx512/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/config.h index 9568d5b..5d155e0 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/config.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 1 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32/encrypt.c index bc5f398..631e60c 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/encrypt.c @@ -1,144 +1,220 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define RATE (128 / 8) -#define PA_ROUNDS 12 -#define PB_ROUNDS 8 -#define IV \ - ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \ - (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32) +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { - u32_2 K0, K1, N0, N1; - u32_2 x0, x1, x2, x3, x4; - u32_2 t0, t1, t2, t3, t4; - u64 tmp0, tmp1; - u32 i; - (void)nsec; - - // set ciphertext size - *clen = mlen + CRYPTO_ABYTES; +#ifdef ASCON_AEAD_RATE - // load key and nonce - to_bit_interleaving(K0, U64BIG(*(u64*)k)); - to_bit_interleaving(K1, U64BIG(*(u64*)(k + 8))); - to_bit_interleaving(N0, U64BIG(*(u64*)npub)); - to_bit_interleaving(N1, U64BIG(*(u64*)(npub + 8))); +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - // initialization - to_bit_interleaving(x0, IV); - x1.o = K0.o; - x1.e = K0.e; - x2.e = K1.e; - x2.o = K1.o; - x3.e = N0.e; - x3.o = N0.o; - x4.e = N1.e; - x4.o = N1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - // process associated data +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - while (adlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)ad)); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, U64BIG(*(u64*)(ad + 8))); - x1.e ^= t1.e; - x1.o ^= t1.o; - P8(); - adlen -= RATE; - ad += RATE; + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; } - tmp0 = 0; - tmp1 = 0; - for (i = 0; i < adlen; ++i, ++ad) - if (i < 8) - tmp0 ^= INS_BYTE64(*ad, i); - else - tmp1 ^= INS_BYTE64(*ad, i % 8); - if (adlen < 8) - tmp0 ^= INS_BYTE64(0x80, adlen); - else - tmp1 ^= INS_BYTE64(0x80, adlen % 8); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, tmp1); - x1.e ^= t1.e; - x1.o ^= t1.o; - P8(); + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - x4.e ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - // process plaintext - while (mlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)m)); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, U64BIG(*(u64*)(m + 8))); - x1.e ^= t1.e; - x1.o ^= t1.o; - from_bit_interleaving(tmp0, x0); - *(u64*)c = U64BIG(tmp0); - from_bit_interleaving(tmp1, x1); - *(u64*)(c + 8) = U64BIG(tmp1); - P8(); - mlen -= RATE; - m += RATE; - c += RATE; +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; } - tmp0 = 0; - tmp1 = 0; - for (i = 0; i < mlen; ++i, ++m) - if (i < 8) - tmp0 ^= INS_BYTE64(*m, i); - else - tmp1 ^= INS_BYTE64(*m, i % 8); - if (mlen < 8) - tmp0 ^= INS_BYTE64(0x80, mlen); - else - tmp1 ^= INS_BYTE64(0x80, mlen % 8); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, tmp1); - x1.e ^= t1.e; - x1.o ^= t1.o; - from_bit_interleaving(tmp0, x0); - from_bit_interleaving(tmp1, x1); - for (i = 0; i < mlen; ++i, ++c) - if (i < 8) - *c = EXT_BYTE64(tmp0, i); - else - *c = EXT_BYTE64(tmp1, i % 8); + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} - // finalization - x2.e ^= K0.e; - x2.o ^= K0.o; - x3.e ^= K1.e; - x3.o ^= K1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - // set tag - from_bit_interleaving(tmp0, x3); - *(u64*)c = U64BIG(tmp0); - from_bit_interleaving(tmp1, x4); - *(u64*)(c + 8) = U64BIG(tmp1); +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.h index 7dfa822..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/interleave.h @@ -3,47 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -forceinline uint32_t deinterleave_uint32(uint32_t x) { +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); return x; } -forceinline uint32_t interleave_uint32(uint32_t x) { +forceinline uint32_t interleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); return x; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); uint32_t hi = in >> 32; uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); } #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/round.h index cd8ec34..772d7f2 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/round.h @@ -4,49 +4,43 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint64_t C) { state_t t; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - t.x0 = XOR(s->x0, AND(NOT(s->x1), s->x2)); - t.x2 = XOR(s->x2, AND(NOT(s->x3), s->x4)); - t.x4 = XOR(s->x4, AND(NOT(s->x0), s->x1)); - t.x1 = XOR(s->x1, AND(NOT(s->x2), s->x3)); - t.x3 = XOR(s->x3, AND(NOT(s->x4), s->x0)); - t.x1 = XOR(t.x1, t.x0); - t.x3 = XOR(t.x3, t.x2); - t.x0 = XOR(t.x0, t.x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; /* linear layer */ - s->x2 = XOR(t.x2, ROR(t.x2, 6 - 1)); - s->x3 = XOR(t.x3, ROR(t.x3, 17 - 10)); - s->x4 = XOR(t.x4, ROR(t.x4, 41 - 7)); - s->x0 = XOR(t.x0, ROR(t.x0, 28 - 19)); - s->x1 = XOR(t.x1, ROR(t.x1, 61 - 39)); - s->x2 = XOR(t.x2, ROR(s->x2, 1)); - s->x3 = XOR(t.x3, ROR(s->x3, 10)); - s->x4 = XOR(t.x4, ROR(s->x4, 7)); - s->x0 = XOR(t.x0, ROR(s->x0, 19)); - s->x1 = XOR(t.x1, ROR(s->x1, 39)); - s->x2 = NOT(s->x2); + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/architectures b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/config.h new file mode 100644 index 0000000..5d155e0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/implementors b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/round.h new file mode 100644 index 0000000..a52ca55 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/round.h @@ -0,0 +1,229 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/architectures b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/config.h new file mode 100644 index 0000000..c6afcc6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/implementors b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/round.h new file mode 100644 index 0000000..76679e7 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/round.h @@ -0,0 +1,325 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "ldrb %[tmp2], [%[tmp1], #0]\n\t" + "push {%[tmp0]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" + "ldrb %[tmp2], [%[tmp1], #1]\n\t" + "add %[tmp1], %[tmp1], #2\n\t" + "movs %[tmp0], %[x2_h]\n\t" + "push {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "pop {%[tmp1]}\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "pop {%[tmp0]}\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + "cmp %[tmp1], %[tmp0]\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "+l"(E), [ tmp2 ] "=l"(tmp1) + : + :); + printstate(" round output", s); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp1], %[C_e]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "movs %[x0_l], %[C_o]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C_e ] "ri"((uint32_t)C), [ C_o ] "ri"((uint32_t)(C >> 32)) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv6m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/architectures b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/config.h new file mode 100644 index 0000000..3070584 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/implementors b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/config.h new file mode 100644 index 0000000..525682c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_armv7m_small/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/config.h index ca30428..d9e51c1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/config.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/encrypt.c index 7d2e456..631e60c 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/encrypt.c @@ -1,144 +1,220 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define RATE (128 / 8) -#define PA_ROUNDS 12 -#define PB_ROUNDS 8 -#define IV \ - ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \ - (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32) +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { - u32_2 K0, K1, N0, N1; - u32_2 x0, x1, x2, x3, x4; - u32_2 t0, t1; - u64 tmp0, tmp1; - u32 i; - (void)nsec; - - // set ciphertext size - *clen = mlen + CRYPTO_ABYTES; +#ifdef ASCON_AEAD_RATE - // load key and nonce - to_bit_interleaving(K0, U64BIG(*(u64*)k)); - to_bit_interleaving(K1, U64BIG(*(u64*)(k + 8))); - to_bit_interleaving(N0, U64BIG(*(u64*)npub)); - to_bit_interleaving(N1, U64BIG(*(u64*)(npub + 8))); +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - // initialization - to_bit_interleaving(x0, IV); - x1.o = K0.o; - x1.e = K0.e; - x2.e = K1.e; - x2.o = K1.o; - x3.e = N0.e; - x3.o = N0.o; - x4.e = N1.e; - x4.o = N1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - // process associated data +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - while (adlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)ad)); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, U64BIG(*(u64*)(ad + 8))); - x1.e ^= t1.e; - x1.o ^= t1.o; - P8(); - adlen -= RATE; - ad += RATE; + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; } - tmp0 = 0; - tmp1 = 0; - for (i = 0; i < adlen; ++i, ++ad) - if (i < 8) - tmp0 ^= INS_BYTE64(*ad, i); - else - tmp1 ^= INS_BYTE64(*ad, i % 8); - if (adlen < 8) - tmp0 ^= INS_BYTE64(0x80, adlen); - else - tmp1 ^= INS_BYTE64(0x80, adlen % 8); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, tmp1); - x1.e ^= t1.e; - x1.o ^= t1.o; - P8(); + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - x4.e ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - // process plaintext - while (mlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)m)); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, U64BIG(*(u64*)(m + 8))); - x1.e ^= t1.e; - x1.o ^= t1.o; - from_bit_interleaving(tmp0, x0); - *(u64*)c = U64BIG(tmp0); - from_bit_interleaving(tmp1, x1); - *(u64*)(c + 8) = U64BIG(tmp1); - P8(); - mlen -= RATE; - m += RATE; - c += RATE; +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; } - tmp0 = 0; - tmp1 = 0; - for (i = 0; i < mlen; ++i, ++m) - if (i < 8) - tmp0 ^= INS_BYTE64(*m, i); - else - tmp1 ^= INS_BYTE64(*m, i % 8); - if (mlen < 8) - tmp0 ^= INS_BYTE64(0x80, mlen); - else - tmp1 ^= INS_BYTE64(0x80, mlen % 8); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - to_bit_interleaving(t1, tmp1); - x1.e ^= t1.e; - x1.o ^= t1.o; - from_bit_interleaving(tmp0, x0); - from_bit_interleaving(tmp1, x1); - for (i = 0; i < mlen; ++i, ++c) - if (i < 8) - *c = EXT_BYTE64(tmp0, i); - else - *c = EXT_BYTE64(tmp1, i % 8); + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} - // finalization - x2.e ^= K0.e; - x2.o ^= K0.o; - x3.e ^= K1.e; - x3.o ^= K1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - // set tag - from_bit_interleaving(tmp0, x3); - *(u64*)c = U64BIG(tmp0); - from_bit_interleaving(tmp1, x4); - *(u64*)(c + 8) = U64BIG(tmp1); +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.h index 7dfa822..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/interleave.h @@ -3,47 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -forceinline uint32_t deinterleave_uint32(uint32_t x) { +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); return x; } -forceinline uint32_t interleave_uint32(uint32_t x) { +forceinline uint32_t interleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); return x; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); uint32_t hi = in >> 32; uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); } #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowreg/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/ascon.h index 471e4a5..70a4dee 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/ascon.h @@ -5,10 +5,20 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + #define ASCON_ABSORB 0x1 #define ASCON_SQUEEZE 0x2 #define ASCON_INSERT 0x4 @@ -19,8 +29,8 @@ typedef struct { void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode); -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, const uint8_t* ad, uint64_t adlen, const uint8_t* npub, const uint8_t* k, uint8_t mode); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/config.h index a4f5879..525682c 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/config.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 0 +#define ASCON_INLINE_MODE 1 #endif /* inline all permutations */ @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/encrypt.c index 4a5b335..c6100f6 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/encrypt.c @@ -1,26 +1,95 @@ #include "api.h" #include "ascon.h" -#include "crypto_aead.h" #include "permutations.h" #include "printstate.h" -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, - const uint8_t* ad, uint64_t adlen, const uint8_t* npub, - const uint8_t* k, uint8_t mode); +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ state_t s; - (void)nsec; - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; - /* ascon encryption */ - ascon_aead(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); - /* set tag */ - STOREBYTES(c + mlen, s.x3, 8); - STOREBYTES(c + mlen + 8, s.x4, 8); - return 0; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.c index 321d0ce..effd40b 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.c @@ -1,42 +1,15 @@ #include "interleave.h" -static inline uint32_t deinterleave_uint32(uint32_t x) { - uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - return x; -} +#if !ASCON_EXTERN_BI -static inline uint32_t interleave_uint32(uint32_t x) { - uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - return x; -} +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t deinterleave32(uint64_t in) { - uint32_t hi = in >> 32; - uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; -} +#if !ASCON_INLINE_BI -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; -} +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.h index ab87afc..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/interleave.h @@ -3,9 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -uint64_t deinterleave32(uint64_t in); -uint64_t interleave32(uint64_t in); +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/update.c index fbed933..b81b24e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/update.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/update.c @@ -3,42 +3,75 @@ #include "permutations.h" #include "printstate.h" +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode) { - const int rate = 16; - const int nr = 8; - word_t tmp0, tmp1; - int n = 0, n0 = 0, n1 = 0; - while (len) { - /* determine block size */ - n0 = len < 8 ? len : 8; - n1 = len < 8 ? 0 : (len < 16 ? len - 8 : 8); - n = n0 + n1; +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { /* absorb data */ - tmp0 = LOAD(in, n0); - s->x0 = XOR(s->x0, tmp0); - if (n1) tmp1 = LOAD(in + 8, n1); - if (n1) s->x1 = XOR(s->x1, tmp1); +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } /* extract data */ if (mode & ASCON_SQUEEZE) { - STORE(out, s->x0, n0); - if (n1) STORE(out + 8, s->x1, n1); + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); } /* insert data */ if (mode & ASCON_INSERT) { - s->x0 = CLEAR(s->x0, n0); - s->x0 = XOR(s->x0, tmp0); - if (n1) s->x1 = CLEAR(s->x1, n1); - if (n1) s->x1 = XOR(s->x1, tmp1); + s->x[i] = tmp; + printstate("insert ciphertext", s); } /* compute permutation for full blocks */ - if (n == rate) P(s, nr); - in += n; - out += n; - len -= n; +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; } - if (n % rate < 8) - s->x0 = XOR(s->x0, PAD(n0 % 8)); - else - s->x1 = XOR(s->x1, PAD(n1 % 8)); + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi32_lowsize/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/api.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/config.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/config.h index f5873d0..525682c 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/config.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.c b/ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.c new file mode 100644 index 0000000..7801918 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.c @@ -0,0 +1,8 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint64_t constants[] = {RC0, RC1, RC2, RC3, RC4, RC5, + RC6, RC7, RC8, RC9, RCa, RCb}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.h new file mode 100644 index 0000000..6c38206 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8040000020301000ull +#define ASCON_128A_IV 0xc000000030200000ull +#define ASCON_80PQ_IV 0x8040800020301000ull +#define ASCON_HASH_IV 0x0040000020200002ull +#define ASCON_HASHA_IV 0x0040000020300002ull +#define ASCON_XOF_IV 0x0040000020200000ull +#define ASCON_XOFA_IV 0x0040000020300000ull + +#define ASCON_PRF_IV 0xe000000020200000ull +#define ASCON_MAC_IV 0xe100000020200000ull +#define ASCON_PRFS_IV 0x9020000020200000ull + +#define ASCON_HASH_IV0 0xfa8e976bb985dc4dull +#define ASCON_HASH_IV1 0xc8085072a40ccd94ull +#define ASCON_HASH_IV2 0xfe1781be5a847314ull +#define ASCON_HASH_IV3 0x2f871f6c6d0082b2ull +#define ASCON_HASH_IV4 0x7a1ba68850ec407eull + +#define ASCON_HASHA_IV0 0x194c0f180a5d41e4ull +#define ASCON_HASHA_IV1 0x7faa87825647f3a7ull +#define ASCON_HASHA_IV2 0x606dbe06db8da430ull +#define ASCON_HASHA_IV3 0xe0dd6bcf19fbce3bull +#define ASCON_HASHA_IV4 0x9720dc4446473d8bull + +#define ASCON_XOF_IV0 0x8a46f0d354e771b8ull +#define ASCON_XOF_IV1 0x04489f4084368cd0ull +#define ASCON_XOF_IV2 0x6c94f2150dbcf66cull +#define ASCON_XOF_IV3 0x48965294f143b44eull +#define ASCON_XOF_IV4 0x0788515fe0e5fb8aull + +#define ASCON_XOFA_IV0 0x4ab43d4f16a80d2cull +#define ASCON_XOFA_IV1 0xd0ae310bf0f619ceull +#define ASCON_XOFA_IV2 0xc08cf3c801d89cf3ull +#define ASCON_XOFA_IV3 0x3859d2094dac0b35ull +#define ASCON_XOFA_IV4 0xd274992be52b5357ull + +#define RC0 0x0101010100000000ull +#define RC1 0x0101010000000001ull +#define RC2 0x0101000100000100ull +#define RC3 0x0101000000000101ull +#define RC4 0x0100010100010000ull +#define RC5 0x0100010000010001ull +#define RC6 0x0100000100010100ull +#define RC7 0x0100000000010101ull +#define RC8 0x0001010101000000ull +#define RC9 0x0001010001000001ull +#define RCa 0x0001000101000100ull +#define RCb 0x0001000001000101ull + +#define RC(i) (constants[i]) +#define START(n) (12 - (n)) +#define INC 1 +#define END 12 + +extern const uint64_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/bi8/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.c b/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.c index 659255b..1fa6134 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.c @@ -1,12 +1,9 @@ #include "interleave.h" -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t interleave8(uint64_t x) { - x = (x & 0xaa55aa55aa55aa55ull) | ((x & 0x00aa00aa00aa00aaull) << 7) | - ((x >> 7) & 0x00aa00aa00aa00aaull); - x = (x & 0xcccc3333cccc3333ull) | ((x & 0x0000cccc0000ccccull) << 14) | - ((x >> 14) & 0x0000cccc0000ccccull); - x = (x & 0xf0f0f0f00f0f0f0full) | ((x & 0x00000000f0f0f0f0ull) << 28) | - ((x >> 28) & 0x00000000f0f0f0f0ull); - return x; -} +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return interleave8(in); } + +uint64_t FROMBI(uint64_t in) { return interleave8(in); } + +#endif \ No newline at end of file diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.h index fa9e921..d8e7d12 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/interleave.h @@ -3,8 +3,35 @@ #include +#include "config.h" #include "forceinline.h" -uint64_t interleave8(uint64_t x); +#if ASCON_EXTERN_BI + +#define TOBI +#define FROMBI + +#elif ASCON_INLINE_BI + +#define TOBI interleave8 +#define FROMBI interleave8 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave8(uint64_t x) { + x = (x & 0xaa55aa55aa55aa55ull) | ((x & 0x00aa00aa00aa00aaull) << 7) | + ((x >> 7) & 0x00aa00aa00aa00aaull); + x = (x & 0xcccc3333cccc3333ull) | ((x & 0x0000cccc0000ccccull) << 14) | + ((x >> 14) & 0x0000cccc0000ccccull); + x = (x & 0xf0f0f0f00f0f0f0full) | ((x & 0x00000000f0f0f0f0ull) << 28) | + ((x >> 28) & 0x00000000f0f0f0f0ull); + return x; +} #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.c index b03de98..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.c @@ -1,19 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint64_t constants[12] = { - 0x0101010100000000ull, 0x0101010000000001ull, 0x0101000100000100ull, - 0x0101000000000101ull, 0x0100010100010000ull, 0x0100010000010001ull, - 0x0100000100010100ull, 0x0100000000010101ull, 0x0001010101000000ull, - 0x0001010001000001ull, 0x0001000101000100ull, 0x0001000001000101ull}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.h index f0d971a..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8040000020301000ull) -#define ASCON_128A_IV WORD_T(0xc000000030200000ull) -#define ASCON_80PQ_IV WORD_T(0x8040800020301000ull) -#define ASCON_HASH_IV WORD_T(0x0040000020200002ull) -#define ASCON_XOF_IV WORD_T(0x0040000020200000ull) - -#define ASCON_HASH_IV0 WORD_T(0xfa8e976bb985dc4dull) -#define ASCON_HASH_IV1 WORD_T(0xc8085072a40ccd94ull) -#define ASCON_HASH_IV2 WORD_T(0xfe1781be5a847314ull) -#define ASCON_HASH_IV3 WORD_T(0x2f871f6c6d0082b2ull) -#define ASCON_HASH_IV4 WORD_T(0x7a1ba68850ec407eull) - -#define ASCON_HASHA_IV0 WORD_T(0x194c0f180a5d41e4ull) -#define ASCON_HASHA_IV1 WORD_T(0x7faa87825647f3a7ull) -#define ASCON_HASHA_IV2 WORD_T(0x606dbe06db8da430ull) -#define ASCON_HASHA_IV3 WORD_T(0xe0dd6bcf19fbce3bull) -#define ASCON_HASHA_IV4 WORD_T(0x9720dc4446473d8bull) - -#define ASCON_XOF_IV0 WORD_T(0x8a46f0d354e771b8ull) -#define ASCON_XOF_IV1 WORD_T(0x04489f4084368cd0ull) -#define ASCON_XOF_IV2 WORD_T(0x6c94f2150dbcf66cull) -#define ASCON_XOF_IV3 WORD_T(0x48965294f143b44eull) -#define ASCON_XOF_IV4 WORD_T(0x0788515fe0e5fb8aull) - -#define ASCON_XOFA_IV0 WORD_T(0x4ab43d4f16a80d2cull) -#define ASCON_XOFA_IV1 WORD_T(0xd0ae310bf0f619ceull) -#define ASCON_XOFA_IV2 WORD_T(0xc08cf3c801d89cf3ull) -#define ASCON_XOFA_IV3 WORD_T(0x3859d2094dac0b35ull) -#define ASCON_XOFA_IV4 WORD_T(0xd274992be52b5357ull) - -#define START(n) (12 - n) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0x0101010100000000ull)); - ROUND(s, RC(0x0101010000000001ull)); - ROUND(s, RC(0x0101000100000100ull)); - ROUND(s, RC(0x0101000000000101ull)); - ROUND(s, RC(0x0100010100010000ull)); - ROUND(s, RC(0x0100010000010001ull)); - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x0100010100010000ull)); - ROUND(s, RC(0x0100010000010001ull)); - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); -} - -extern const uint64_t constants[12]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) ROUND(s, RC(constants[i])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.c index 6cb5f4d..0de03e6 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%016" PRIx64, s->x[0]); + printf(" x1=%016" PRIx64, s->x[1]); + printf(" x2=%016" PRIx64, s->x[2]); + printf(" x3=%016" PRIx64, s->x[3]); + printf(" x4=%016" PRIx64, s->x[4]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/round.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/bi8/word.h b/ascon/Implementations/crypto_aead/ascon128av12/bi8/word.h index 504568d..706c5c6 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/bi8/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/bi8/word.h @@ -2,20 +2,25 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" #include "interleave.h" typedef union { - uint64_t w; + uint64_t x; + uint32_t w[2]; uint8_t b[8]; } word_t; +#define U64TOWORD(x) interleave8(U64BIG(x)) +#define WORDTOU64(x) U64BIG(interleave8(x)) + forceinline uint8_t ROR8(uint8_t a, int n) { return a >> n | a << (8 - n); } -forceinline word_t ROR(word_t a, int n) { - word_t b; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; b.b[0] = ROR8(a.b[(n + 0) & 0x7], (n + 0) >> 3); b.b[1] = ROR8(a.b[(n + 1) & 0x7], (n + 1) >> 3); b.b[2] = ROR8(a.b[(n + 2) & 0x7], (n + 2) >> 3); @@ -24,57 +29,41 @@ forceinline word_t ROR(word_t a, int n) { b.b[5] = ROR8(a.b[(n + 5) & 0x7], (n + 5) >> 3); b.b[6] = ROR8(a.b[(n + 6) & 0x7], (n + 6) >> 3); b.b[7] = ROR8(a.b[(n + 7) & 0x7], (n + 7) >> 3); - return b; -} - -forceinline word_t WORD_T(uint64_t x) { - word_t w; - w.w = x; - return w; -} - -forceinline uint64_t UINT64_T(word_t w) { - uint64_t x; - x = w.w; - return x; + return b.x; } -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(interleave8(x)); } - -forceinline uint64_t WORDTOU64(word_t w) { return interleave8(UINT64_T(w)); } - -forceinline word_t NOT(word_t a) { - a.w = ~a.w; - return a; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.b[0] = lo2hi.b[0] << 4 | hi2lo.b[0] >> 4; + w.b[1] = lo2hi.b[1] << 4 | hi2lo.b[1] >> 4; + w.b[2] = lo2hi.b[2] << 4 | hi2lo.b[2] >> 4; + w.b[3] = lo2hi.b[3] << 4 | hi2lo.b[3] >> 4; + w.b[4] = lo2hi.b[4] << 4 | hi2lo.b[4] >> 4; + w.b[5] = lo2hi.b[5] << 4 | hi2lo.b[5] >> 4; + w.b[6] = lo2hi.b[6] << 4 | hi2lo.b[6] >> 4; + w.b[7] = lo2hi.b[7] << 4 | hi2lo.b[7] >> 4; + return w.x; } -forceinline word_t XOR(word_t a, word_t b) { - a.w ^= b.w; - return a; -} - -forceinline word_t AND(word_t a, word_t b) { - a.w &= b.w; - return a; -} - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t w; - w.w = lo2hi.w << 32 | hi2lo.w >> 32; - return w; -} - -forceinline int NOTZERO(word_t a, word_t b) { - uint64_t result = a.w | b.w; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return (word_t){.b[7] = 0x80 >> i}; } +forceinline uint64_t PAD(int i) { return (uint64_t)(0x80 >> i) << 56; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 30) | /* 0000x */ + ((len & 0x02) << 37) | /* 000x0 */ + ((len & 0x04) << 44) | /* 00x00 */ + ((len & 0x08) << 51) | /* 0x000 */ + ((len & 0x10) << 58); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ uint8_t m = 0xff >> n; word_t mask = { @@ -87,7 +76,7 @@ forceinline word_t CLEAR(word_t w, int n) { .b[6] = m, .b[7] = m, }; - return AND(w, mask); + return w & mask.x; } forceinline uint64_t MASK(int n) { @@ -95,26 +84,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/api.h b/ascon/Implementations/crypto_aead/ascon128av12/esp32/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/core.c b/ascon/Implementations/crypto_aead/ascon128av12/esp32/core.c new file mode 100644 index 0000000..0d18bf1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/core.c @@ -0,0 +1,122 @@ +#include "core.h" + +#include + +void ascon_duplex(state* s, unsigned char* out, const unsigned char* in, + unsigned long len, u8 mode) { + u32_4 tmp; + + while (len >= RATE) { + tmp.words[0].h = ((u32*)in)[0]; + tmp.words[0].l = ((u32*)in)[1]; + tmp.words[1].h = ((u32*)in)[2]; + tmp.words[1].l = ((u32*)in)[3]; + tmp = ascon_rev8(tmp); + s->x0.h ^= tmp.words[0].h; + s->x0.l ^= tmp.words[0].l; + s->x1.h ^= tmp.words[1].h; + s->x1.l ^= tmp.words[1].l; + + if (mode != ASCON_AD) { + ((u32*)out)[0] = U32BIG(s->x0.h); + ((u32*)out)[1] = U32BIG(s->x0.l); + ((u32*)out)[2] = U32BIG(s->x1.h); + ((u32*)out)[3] = U32BIG(s->x1.l); + } + if (mode == ASCON_DEC) { + s->x0 = tmp.words[0]; + s->x1 = tmp.words[1]; + } + + P(s, PB_START_ROUND, PB_ROUNDS); + + in += RATE; + out += RATE; + len -= RATE; + } + + u8* bytes = (u8*)&tmp; + memset(bytes, 0, sizeof tmp); + memcpy(bytes, in, len); + bytes[len] ^= 0x80; + + tmp = ascon_rev8(tmp); + s->x0.h ^= tmp.words[0].h; + s->x0.l ^= tmp.words[0].l; + s->x1.h ^= tmp.words[1].h; + s->x1.l ^= tmp.words[1].l; + + if (mode != ASCON_AD) { + tmp = ascon_rev8((u32_4){{s->x0, s->x1}}); + memcpy(out, bytes, len); + } + if (mode == ASCON_DEC) { + memcpy(bytes, in, len); + tmp = ascon_rev8(tmp); + s->x0 = tmp.words[0]; + s->x1 = tmp.words[1]; + } +} + +void ascon_core(state* s, unsigned char* out, const unsigned char* in, + unsigned long long tlen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k, u8 mode) { + u32_4 tmp; + u32_2 K0, K1, N0, N1; + + // load key + tmp.words[0].h = ((u32*)k)[0]; + tmp.words[0].l = ((u32*)k)[1]; + tmp.words[1].h = ((u32*)k)[2]; + tmp.words[1].l = ((u32*)k)[3]; + tmp = ascon_rev8(tmp); + K0 = tmp.words[0]; + K1 = tmp.words[1]; + + // load nonce + tmp.words[0].h = ((u32*)npub)[0]; + tmp.words[0].l = ((u32*)npub)[1]; + tmp.words[1].h = ((u32*)npub)[2]; + tmp.words[1].l = ((u32*)npub)[3]; + tmp = ascon_rev8(tmp); + N0 = tmp.words[0]; + N1 = tmp.words[1]; + + // initialization + to_big_immediate(s->x0, IV); + s->x1.h = K0.h; + s->x1.l = K0.l; + s->x2.h = K1.h; + s->x2.l = K1.l; + s->x3.h = N0.h; + s->x3.l = N0.l; + s->x4.h = N1.h; + s->x4.l = N1.l; + P(s, PA_START_ROUND, PA_ROUNDS); + s->x3.h ^= K0.h; + s->x3.l ^= K0.l; + s->x4.h ^= K1.h; + s->x4.l ^= K1.l; + + // process associated data + if (adlen) { + ascon_duplex(s, (void*)0, ad, adlen, ASCON_AD); + P(s, PB_START_ROUND, PB_ROUNDS); + } + s->x4.l ^= 1; + + // process plaintext/ciphertext + ascon_duplex(s, out, in, tlen, mode); + + // finalization + s->x2.h ^= K0.h; + s->x2.l ^= K0.l; + s->x3.h ^= K1.h; + s->x3.l ^= K1.l; + P(s, PA_START_ROUND, PA_ROUNDS); + s->x3.h ^= K0.h; + s->x3.l ^= K0.l; + s->x4.h ^= K1.h; + s->x4.l ^= K1.l; +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/core.h b/ascon/Implementations/crypto_aead/ascon128av12/esp32/core.h new file mode 100644 index 0000000..f93faff --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/core.h @@ -0,0 +1,29 @@ +#ifndef CORE_H_ +#define CORE_H_ + +#include "api.h" +#include "endian.h" +#include "permutations.h" + +#define ASCON_AD 0 +#define ASCON_ENC 1 +#define ASCON_DEC 2 + +#define RATE (128 / 8) +#define PA_ROUNDS 12 +#define PB_ROUNDS 8 +#define PA_START_ROUND 0xf0 +#define PB_START_ROUND 0xb4 +#define IV \ + ((u64)(8 * (CRYPTO_KEYBYTES)) << 0 | (u64)(8 * (RATE)) << 8 | \ + (u64)(PA_ROUNDS) << 16 | (u64)(PB_ROUNDS) << 24) + +void process_data(state* s, unsigned char* out, const unsigned char* in, + unsigned long long len, u8 mode); + +void ascon_core(state* s, unsigned char* out, const unsigned char* in, + unsigned long long tlen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k, u8 mode); + +#endif // CORE_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/decrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/esp32/decrypt.c new file mode 100644 index 0000000..2f0e960 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/decrypt.c @@ -0,0 +1,38 @@ +#include "core.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + state s; + u32_4 tmp; + (void)nsec; + + // set plaintext size + *mlen = clen - CRYPTO_ABYTES; + + ascon_core(&s, m, c, *mlen, ad, adlen, npub, k, ASCON_DEC); + + tmp.words[0].h = ((u32*)(c + *mlen))[0]; + tmp.words[0].l = ((u32*)(c + *mlen))[1]; + tmp.words[1].h = ((u32*)(c + *mlen))[2]; + tmp.words[1].l = ((u32*)(c + *mlen))[3]; + tmp = ascon_rev8(tmp); + u32_2 t0 = tmp.words[0]; + u32_2 t1 = tmp.words[1]; + + // verify tag (should be constant time, check compiler output) + if (((s.x3.h ^ t0.h) | (s.x3.l ^ t0.l) | (s.x4.h ^ t1.h) | (s.x4.l ^ t1.l)) != + 0) { + *mlen = 0; + return -1; + } + + return 0; +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/esp32/encrypt.c new file mode 100644 index 0000000..8f74e44 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/encrypt.c @@ -0,0 +1,28 @@ +#include "core.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state s; + u32_4 tmp; + (void)nsec; + + // set ciphertext size + *clen = mlen + CRYPTO_ABYTES; + + ascon_core(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENC); + + tmp.words[0] = s.x3; + tmp.words[1] = s.x4; + tmp = ascon_rev8(tmp); + + // set tag + ((u32*)(c + mlen))[0] = tmp.words[0].h; + ((u32*)(c + mlen))[1] = tmp.words[0].l; + ((u32*)(c + mlen))[2] = tmp.words[1].h; + ((u32*)(c + mlen))[3] = tmp.words[1].l; + + return 0; +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/esp32/endian.h new file mode 100644 index 0000000..b4d18f5 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/endian.h @@ -0,0 +1,29 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +// macros for big endian machines +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +// macros for little endian machines +#define U64BIG(x) \ + ((((x)&0x00000000000000FFULL) << 56) | (((x)&0x000000000000FF00ULL) << 40) | \ + (((x)&0x0000000000FF0000ULL) << 24) | (((x)&0x00000000FF000000ULL) << 8) | \ + (((x)&0x000000FF00000000ULL) >> 8) | (((x)&0x0000FF0000000000ULL) >> 24) | \ + (((x)&0x00FF000000000000ULL) >> 40) | (((x)&0xFF00000000000000ULL) >> 56)) +#define U32BIG(x) \ + ((((x)&0x000000FF) << 24) | (((x)&0x0000FF00) << 8) | \ + (((x)&0x00FF0000) >> 8) | (((x)&0xFF000000) >> 24)) +#define U16BIG(x) ((((x)&0x00FF) << 8) | (((x)&0xFF00) >> 8)) + +#else +#error "ascon byte order macros not defined in endian.h" +#endif + +#endif // ENDIAN_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/implementors b/ascon/Implementations/crypto_aead/ascon128av12/esp32/implementors new file mode 100644 index 0000000..38a64ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/implementors @@ -0,0 +1,3 @@ +Christoph Dobraunig +Martin Schläffer +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.c new file mode 100644 index 0000000..68c6268 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.c @@ -0,0 +1,89 @@ +#include "permutations.h" + +#include "endian.h" + +u32_4 ascon_rev8(u32_4 in) { + in.words[0].h = U32BIG(in.words[0].h); + in.words[0].l = U32BIG(in.words[0].l); + in.words[1].h = U32BIG(in.words[1].h); + in.words[1].l = U32BIG(in.words[1].l); + return in; +} + +#define SBOX(x0, x1, x2, x3, x4, r0, t0, t1, t2) \ + do { \ + t1 = x0 ^ x4; \ + t2 = x3 ^ x4; \ + t0 = -1; \ + x4 = x4 ^ t0; \ + t0 = x1 ^ x2; \ + x4 = x4 | x3; \ + x4 = x4 ^ t0; \ + x3 = x3 ^ x1; \ + x3 = x3 | t0; \ + x3 = x3 ^ t1; \ + x2 = x2 ^ t1; \ + x2 = x2 | x1; \ + x2 = x2 ^ t2; \ + x0 = x0 | t2; \ + x0 = x0 ^ t0; \ + t0 = -1; \ + t1 = t1 ^ t0; \ + x1 = x1 & t1; \ + x1 = x1 ^ t2; \ + r0 = x0; \ + } while (0) + +#define SRC(o, h, l, amt) \ + do { \ + o = (((u64)h << 32) | l) >> amt; \ + } while (0) + +#define LINEAR(dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0) \ + do { \ + SRC(dl, sh0, sl0, r0); \ + SRC(dh, sl0, sh0, r0); \ + dl = dl ^ sl; \ + dh = dh ^ sh; \ + SRC(t0, sh1, sl1, r1); \ + SRC(sh, sl1, sh1, r1); \ + dl = dl ^ t0; \ + dh = dh ^ sh; \ + } while (0) + +void P(state *p, u8 round_const, u8 rounds) { + u32 x0h = p->x0.h, x0l = p->x0.l; + u32 x1h = p->x1.h, x1l = p->x1.l; + u32 x2h = p->x2.h, x2l = p->x2.l; + u32 x3h = p->x3.h, x3l = p->x3.l; + u32 x4h = p->x4.h, x4l = p->x4.l; + u32 t0l, t0h; + u32 rnd = round_const; + u32 tmp0; + + while (rnd >= LAST_ROUND) { + x2l ^= rnd; + + SBOX(x0l, x1l, x2l, x3l, x4l, t0l, t0h, t0l, tmp0); + SBOX(x0h, x1h, x2h, x3h, x4h, t0h, t0h, x0l, tmp0); + + LINEAR(x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, tmp0); + LINEAR(x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, tmp0); + LINEAR(x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, tmp0); + LINEAR(x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, tmp0); + LINEAR(x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, tmp0); + + rnd -= 15; + } + + p->x0.h = x0h; + p->x0.l = x0l; + p->x1.h = x1h; + p->x1.l = x1l; + p->x2.h = x2h; + p->x2.l = x2l; + p->x3.h = x3h; + p->x3.l = x3l; + p->x4.h = x4h; + p->x4.l = x4l; +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.h new file mode 100644 index 0000000..b239db0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/esp32/permutations.h @@ -0,0 +1,49 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +typedef unsigned char u8; +typedef unsigned int u32; +typedef unsigned long long u64; + +typedef struct { + u32 h; + u32 l; +} u32_2; + +typedef struct { + u32_2 words[2]; +} u32_4; + +typedef struct { + u32_2 x0; + u32_2 x1; + u32_2 x2; + u32_2 x3; + u32_2 x4; +} state; + +#define START_ROUND(x) (12 - (x)) +#define LAST_ROUND 0x4b + +u32_4 ascon_rev8(u32_4 in); + +#define to_big_immediate(out, in) \ + do { \ + u64 big_in = U64BIG(in); \ + u32 hi = (big_in) >> 32; \ + u32 lo = (u32)(big_in); \ + out.h = hi; \ + out.l = lo; \ + } while (0) + +#define from_big_immediate(out, in) \ + do { \ + u32 hi = in.h; \ + u32 lo = in.l; \ + out = (u64)hi << 32 | lo; \ + out = U64BIG(out); \ + } while (0) + +void P(state *p, u8 round_const, u8 rounds); + +#endif // PERMUTATIONS_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/api.h b/ascon/Implementations/crypto_aead/ascon128av12/neon/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/neon/ascon.h index f6b6ebc..79dccd5 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/ascon.h @@ -6,7 +6,15 @@ #include "word.h" typedef struct { - word_t x0, x1, x2, x3, x4; + uint64_t x[5]; } state_t; -#endif /* ASCON_H */ +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/neon/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/neon/encrypt.c index 308eae1..eeaab5f 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/encrypt.c @@ -1,81 +1,306 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define PA_ROUNDS 12 -#define PB_ROUNDS 8 -#define IV \ - ((uint64_t)(8 * (CRYPTO_KEYBYTES)) << 56 | \ - (uint64_t)(8 * (ASCON_RATE)) << 48 | (uint64_t)(PA_ROUNDS) << 40 | \ - (uint64_t)(PB_ROUNDS) << 32) +#define AD(NR, RATE, RS, RA) \ + do { \ + uint32_t adlen_hi = (uint32_t)(adlen >> 32); \ + uint32_t adlen_lo = (uint32_t)adlen; \ + __asm__ __volatile__ ( \ + ".arm \n\t" \ + ".fpu neon \n\t" \ + "cmp %[adlen_hi], #0 \n\t" \ + "cmpeq %[adlen_lo], #(%c[R]-1) \n\t" \ + "bls .LAD1 \n\t" \ + "vldm %[s], {d0-d4} \n\t" \ + ".LAD0: \n\t" \ + "vldm %[ad]!, {" RA "} \n\t" \ + "vrev64.8 " RA ", " RA " \n\t" \ + "veor " RS ", " RS ", " RA " \n\t" \ + "vmvn d2, d2 \n\t" \ + P ## NR ## ROUNDS(s) \ + "vmvn d2, d2 \n\t" \ + "sub %[adlen_lo], %[adlen_lo], #%c[R] \n\t" \ + "sbc %[adlen_hi], %[adlen_hi], #0 \n\t" \ + "cmp %[adlen_hi], #0 \n\t" \ + "cmpeq %[adlen_lo], #(%c[R]-1) \n\t" \ + "bhi .LAD0 \n\t" \ + "vstm %[s], {d0-d4} \n\t" \ + ".LAD1: \n\t" \ + : [adlen_hi] "+r" (adlen_hi), [adlen_lo] "+r" (adlen_lo), \ + [ad] "+r" (ad) \ + : [s] "r" (s), [C] "r" (C), [R] "i" (RATE) \ + : "d0", "d1", "d2", "d3", "d4", \ + "d10", "d11", "d12", "d13", "d14", "d16", "d17", \ + "d20", "d21", "d22", "d23", "d24", \ + "d31", "memory"); \ + adlen = (uint64_t)adlen_hi << 32 | adlen_lo; \ + } while (0) -int crypto_aead_encrypt(uint8_t* c, uint64_t* clen, const uint8_t* m, - uint64_t mlen, const uint8_t* ad, uint64_t adlen, - const uint8_t* nsec, const uint8_t* npub, - const uint8_t* k) { - const uint64_t K0 = U64BIG(*(uint64_t*)k); - const uint64_t K1 = U64BIG(*(uint64_t*)(k + 8)); - const uint64_t N0 = U64BIG(*(uint64_t*)npub); - const uint64_t N1 = U64BIG(*(uint64_t*)(npub + 8)); - state_t s; - uint32_t i; - (void)nsec; +#define PT(NR, RATE, RS, RM, RC) \ + do { \ + uint32_t mlen_hi = (uint32_t)(mlen >> 32); \ + uint32_t mlen_lo = (uint32_t)mlen; \ + __asm__ __volatile__ ( \ + ".arm \n\t" \ + ".fpu neon \n\t" \ + "cmp %[mlen_hi], #0 \n\t" \ + "cmpeq %[mlen_lo], #(%c[R]-1) \n\t" \ + "bls .LPT1 \n\t" \ + "vldm %[s], {d0-d4} \n\t" \ + ".LPT0: \n\t" \ + "vldm %[m]!, {" RM "} \n\t" \ + "vrev64.8 " RM ", " RM " \n\t" \ + "veor " RS ", " RS ", " RM " \n\t" \ + "vrev64.8 " RC ", " RS " \n\t" \ + "vstm %[c]!, {" RC "} \n\t" \ + "vmvn d2, d2 \n\t" \ + P ## NR ## ROUNDS(s) \ + "vmvn d2, d2 \n\t" \ + "sub %[mlen_lo], %[mlen_lo], #%c[R] \n\t" \ + "sbc %[mlen_hi], %[mlen_hi], #0 \n\t" \ + "cmp %[mlen_hi], #0 \n\t" \ + "cmpeq %[mlen_lo], #(%c[R]-1) \n\t" \ + "bhi .LPT0 \n\t" \ + "vstm %[s], {d0-d4} \n\t" \ + ".LPT1: \n\t" \ + : [mlen_hi] "+r" (mlen_hi), [mlen_lo] "+r" (mlen_lo), \ + [m] "+r" (m), [c] "+r" (c) \ + : [s] "r" (s), [C] "r" (C), [R] "i" (RATE) \ + : "d0", "d1", "d2", "d3", "d4", \ + "d10", "d11", "d12", "d13", "d14", "d16", "d17", \ + "d20", "d21", "d22", "d23", "d24", "d26", "d27", \ + "d31", "memory"); \ + mlen = (uint64_t)mlen_hi << 32 | mlen_lo; \ + } while (0) - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; +#define CT(NR, RATE, RS, RM, RC) \ + do { \ + uint32_t clen_hi = (uint32_t)(clen >> 32); \ + uint32_t clen_lo = (uint32_t)clen; \ + __asm__ __volatile__ ( \ + ".arm \n\t" \ + ".fpu neon \n\t" \ + "cmp %[clen_hi], #0 \n\t" \ + "cmpeq %[clen_lo], #(%c[R]-1) \n\t" \ + "bls .LCT1 \n\t" \ + "vldm %[s], {d0-d4} \n\t" \ + ".LCT0: \n\t" \ + "vldm %[c]!, {" RC "} \n\t" \ + "vrev64.8 " RM ", " RS " \n\t" \ + "veor " RM ", " RM ", " RC " \n\t" \ + "vrev64.8 " RS ", " RC " \n\t" \ + "vstm %[m]!, {" RM "} \n\t" \ + "vmvn d2, d2 \n\t" \ + P ## NR ## ROUNDS(s) \ + "vmvn d2, d2 \n\t" \ + "sub %[clen_lo], %[clen_lo], #%c[R] \n\t" \ + "sbc %[clen_hi], %[clen_hi], #0 \n\t" \ + "cmp %[clen_hi], #0 \n\t" \ + "cmpeq %[clen_lo], #(%c[R]-1) \n\t" \ + "bhi .LCT0 \n\t" \ + "vstm %[s], {d0-d4} \n\t" \ + ".LCT1: \n\t" \ + : [clen_hi] "+r" (clen_hi), [clen_lo] "+r" (clen_lo), \ + [m] "+r" (m), [c] "+r" (c) \ + : [s] "r" (s), [C] "r" (C), [R] "i" (RATE) \ + : "d0", "d1", "d2", "d3", "d4", \ + "d10", "d11", "d12", "d13", "d14", "d16", "d17", \ + "d20", "d21", "d22", "d23", "d24", "d26", "d27", \ + "d31", "memory"); \ + clen = (uint64_t)clen_hi << 32 | clen_lo; \ + } while (0) + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - /* initialization */ - s.x0 = IV; - s.x1 = K0; - s.x2 = K1; - s.x3 = N0; - s.x4 = N1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - /* process associated data */ +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - AD(); - for (i = 0; i < adlen; ++i, ++ad) - if (i < 8) - s.x0 ^= SETBYTE(*ad, i); - else - s.x1 ^= SETBYTE(*ad, i % 8); - if (adlen < 8) - s.x0 ^= SETBYTE(0x80, adlen); - else - s.x1 ^= SETBYTE(0x80, adlen % 8); - P8(); + /* full associated data blocks */ +#if ASCON_AEAD_RATE == 8 + AD(6, 8, "d0", "d16"); +#else + AD(8, 16, "q0", "q8"); +#endif + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - s.x4 ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - /* process plaintext */ - PT(); - for (i = 0; i < mlen; ++i, ++m, ++c) { - if (i < 8) { - s.x0 ^= SETBYTE(*m, i); - *c = GETBYTE(s.x0, i); - } else { - s.x1 ^= SETBYTE(*m, i % 8); - *c = GETBYTE(s.x1, i % 8); - } +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ +#if ASCON_AEAD_RATE == 8 + PT(6, 8, "d0", "d16", "d26"); +#else + PT(8, 16, "q0", "q8", "q13"); +#endif + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ +#if ASCON_AEAD_RATE == 8 + CT(6, 8, "d0", "d16", "d26"); +#else + CT(8, 16, "q0", "q8", "q13"); +#endif + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; } - if (mlen < 8) - s.x0 ^= SETBYTE(0x80, mlen); - else - s.x1 ^= SETBYTE(0x80, mlen % 8); + printstate("pad ciphertext", s); +} - /* finalization */ - s.x2 ^= K0; - s.x3 ^= K1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); /* set tag */ - *(uint64_t*)c = U64BIG(s.x3); - *(uint64_t*)(c + 8) = U64BIG(s.x4); - + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/neon/permutations.h index 9ba4c44..01411b6 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/permutations.h @@ -6,43 +6,10 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - const uint64_t C[12] = { 0xffffffffffffff0full, 0xffffffffffffff1eull, 0xffffffffffffff2dull, 0xffffffffffffff3cull, 0xffffffffffffff4bull, 0xffffffffffffff5aull, diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/round.h b/ascon/Implementations/crypto_aead/ascon128av12/neon/round.h index 8a9a987..d50e45d 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/round.h @@ -4,64 +4,48 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -/* clang-format off */ -#define ROUND(OFFSET) \ - "vldr d31, [%[C], #" #OFFSET "] \n\t" \ - "veor d0, d0, d4 \n\t" \ - "veor d4, d4, d3 \n\t" \ - "veor d2, d2, d31 \n\t" \ - "vbic d13, d0, d4 \n\t" \ - "vbic d12, d4, d3 \n\t" \ - "veor d2, d2, d1 \n\t" \ - "vbic d14, d1, d0 \n\t" \ - "vbic d11, d3, d2 \n\t" \ - "vbic d10, d2, d1 \n\t" \ - "veor q0, q0, q5 \n\t" \ - "veor q1, q1, q6 \n\t" \ - "veor d4, d4, d14 \n\t" \ - "veor d1, d1, d0 \n\t" \ - "veor d3, d3, d2 \n\t" \ - "veor d0, d0, d4 \n\t" \ - "vsri.64 d14, d4, #7 \n\t" \ - "vsri.64 d24, d4, #41 \n\t" \ - "vsri.64 d11, d1, #39 \n\t" \ - "vsri.64 d21, d1, #61 \n\t" \ - "vsri.64 d10, d0, #19 \n\t" \ - "vsri.64 d20, d0, #28 \n\t" \ - "vsri.64 d12, d2, #1 \n\t" \ - "vsri.64 d22, d2, #6 \n\t" \ - "vsri.64 d13, d3, #10 \n\t" \ - "vsri.64 d23, d3, #17 \n\t" \ - "vsli.64 d10, d0, #45 \n\t" \ - "vsli.64 d20, d0, #36 \n\t" \ - "vsli.64 d11, d1, #25 \n\t" \ - "vsli.64 d21, d1, #3 \n\t" \ - "vsli.64 d12, d2, #63 \n\t" \ - "vsli.64 d22, d2, #58 \n\t" \ - "vsli.64 d13, d3, #54 \n\t" \ - "vsli.64 d23, d3, #47 \n\t" \ - "vsli.64 d14, d4, #57 \n\t" \ - "vsli.64 d24, d4, #23 \n\t" \ - "veor q5, q5, q0 \n\t" \ - "veor q6, q6, q1 \n\t" \ - "veor d14, d14, d4 \n\t" \ - "veor q0, q5, q10 \n\t" \ - "veor d4, d14, d24 \n\t" \ +#define ROUND(OFFSET) /* clang-format off */ \ + "vldr d31, [%[C], #" #OFFSET "] \n\t" /* clang-format on */ \ + "veor d0, d0, d4 \n\t" \ + "veor d4, d4, d3 \n\t" \ + "veor d2, d2, d31 \n\t" \ + "vbic d13, d0, d4 \n\t" \ + "vbic d12, d4, d3 \n\t" \ + "veor d2, d2, d1 \n\t" \ + "vbic d14, d1, d0 \n\t" \ + "vbic d11, d3, d2 \n\t" \ + "vbic d10, d2, d1 \n\t" \ + "veor q0, q0, q5 \n\t" \ + "veor q1, q1, q6 \n\t" \ + "veor d4, d4, d14 \n\t" \ + "veor d1, d1, d0 \n\t" \ + "veor d3, d3, d2 \n\t" \ + "veor d0, d0, d4 \n\t" \ + "vsri.64 d14, d4, #7 \n\t" \ + "vsri.64 d24, d4, #41 \n\t" \ + "vsri.64 d11, d1, #39 \n\t" \ + "vsri.64 d21, d1, #61 \n\t" \ + "vsri.64 d10, d0, #19 \n\t" \ + "vsri.64 d20, d0, #28 \n\t" \ + "vsri.64 d12, d2, #1 \n\t" \ + "vsri.64 d22, d2, #6 \n\t" \ + "vsri.64 d13, d3, #10 \n\t" \ + "vsri.64 d23, d3, #17 \n\t" \ + "vsli.64 d10, d0, #45 \n\t" \ + "vsli.64 d20, d0, #36 \n\t" \ + "vsli.64 d11, d1, #25 \n\t" \ + "vsli.64 d21, d1, #3 \n\t" \ + "vsli.64 d12, d2, #63 \n\t" \ + "vsli.64 d22, d2, #58 \n\t" \ + "vsli.64 d13, d3, #54 \n\t" \ + "vsli.64 d23, d3, #47 \n\t" \ + "vsli.64 d14, d4, #57 \n\t" \ + "vsli.64 d24, d4, #23 \n\t" \ + "veor q5, q5, q0 \n\t" \ + "veor q6, q6, q1 \n\t" \ + "veor d14, d14, d4 \n\t" \ + "veor q0, q5, q10 \n\t" \ + "veor d4, d14, d24 \n\t" \ "veor q1, q6, q11 \n\t" -/* clang-format on */ #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/neon/word.h b/ascon/Implementations/crypto_aead/ascon128av12/neon/word.h index 8e28f6d..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/neon/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/neon/word.h @@ -2,36 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -/* get byte from Ascon 64-bit word */ -#define GETBYTE(x, i) ((uint8_t)((uint64_t)(x) >> (56 - 8 * (i)))) +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -/* set byte in Ascon 64-bit word */ -#define SETBYTE(b, i) ((uint64_t)(b) << (56 - 8 * (i))) - -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } - -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -39,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -52,29 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; -} - -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -static inline uint64_t CLEARBYTES(uint64_t x, int n) { - for (int i = 0; i < n; ++i) x &= ~SETBYTE(0xff, i); - return x; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/api.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/config.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/config.h new file mode 100644 index 0000000..9e814e0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/implementors b/ascon/Implementations/crypto_aead/ascon128av12/opt32/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/round.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/round.h new file mode 100644 index 0000000..1ecc93d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + s->x[2] = ~s->x[2]; + /* linear layer */ + s->x[0] ^= + (s->x[0] >> 19) ^ (s->x[0] << 45) ^ (s->x[0] >> 28) ^ (s->x[0] << 36); + s->x[1] ^= + (s->x[1] >> 61) ^ (s->x[1] << 3) ^ (s->x[1] >> 39) ^ (s->x[1] << 25); + s->x[2] ^= + (s->x[2] >> 1) ^ (s->x[2] << 63) ^ (s->x[2] >> 6) ^ (s->x[2] << 58); + s->x[3] ^= + (s->x[3] >> 10) ^ (s->x[3] << 54) ^ (s->x[3] >> 17) ^ (s->x[3] << 47); + s->x[4] ^= + (s->x[4] >> 7) ^ (s->x[4] << 57) ^ (s->x[4] >> 41) ^ (s->x[4] << 23); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32/word.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/api.h new file mode 100644 index 0000000..0eec2d1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/round.h new file mode 100644 index 0000000..1ecc93d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + s->x[2] = ~s->x[2]; + /* linear layer */ + s->x[0] ^= + (s->x[0] >> 19) ^ (s->x[0] << 45) ^ (s->x[0] >> 28) ^ (s->x[0] << 36); + s->x[1] ^= + (s->x[1] >> 61) ^ (s->x[1] << 3) ^ (s->x[1] >> 39) ^ (s->x[1] << 25); + s->x[2] ^= + (s->x[2] >> 1) ^ (s->x[2] << 63) ^ (s->x[2] >> 6) ^ (s->x[2] << 58); + s->x[3] ^= + (s->x[3] >> 10) ^ (s->x[3] << 54) ^ (s->x[3] >> 17) ^ (s->x[3] << 47); + s->x[4] ^= + (s->x[4] >> 7) ^ (s->x[4] << 57) ^ (s->x[4] >> 41) ^ (s->x[4] << 23); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt32_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/api.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64/encrypt.c index bee6080..631e60c 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/encrypt.c @@ -1,98 +1,220 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define RATE (128 / 8) -#define PA_ROUNDS 12 -#define PB_ROUNDS 8 -#define IV \ - ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \ - (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32) +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { - const u64 K0 = U64BIG(*(u64*)k); - const u64 K1 = U64BIG(*(u64*)(k + 8)); - const u64 N0 = U64BIG(*(u64*)npub); - const u64 N1 = U64BIG(*(u64*)(npub + 8)); - state s; - u64 i; - (void)nsec; +#ifdef ASCON_AEAD_RATE - // set ciphertext size - *clen = mlen + CRYPTO_ABYTES; +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - // initialization - s.x0 = IV; - s.x1 = K0; - s.x2 = K1; - s.x3 = N0; - s.x4 = N1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - // process associated data +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - while (adlen >= RATE) { - s.x0 ^= U64BIG(*(u64*)ad); - s.x1 ^= U64BIG(*(u64*)(ad + 8)); - P8(); - adlen -= RATE; - ad += RATE; + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; } - for (i = 0; i < adlen; ++i, ++ad) - if (i < 8) - s.x0 ^= INS_BYTE64(*ad, i); - else - s.x1 ^= INS_BYTE64(*ad, i % 8); - if (adlen < 8) - s.x0 ^= INS_BYTE64(0x80, adlen); - else - s.x1 ^= INS_BYTE64(0x80, adlen % 8); - P8(); + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - s.x4 ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - // process plaintext - while (mlen >= RATE) { - s.x0 ^= U64BIG(*(u64*)m); - s.x1 ^= U64BIG(*(u64*)(m + 8)); - *(u64*)c = U64BIG(s.x0); - *(u64*)(c + 8) = U64BIG(s.x1); - P8(); - mlen -= RATE; - m += RATE; - c += RATE; - } - for (i = 0; i < mlen; ++i, ++m, ++c) { - if (i < 8) { - s.x0 ^= INS_BYTE64(*m, i); - *c = EXT_BYTE64(s.x0, i); - } else { - s.x1 ^= INS_BYTE64(*m, i % 8); - *c = EXT_BYTE64(s.x1, i % 8); +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; } - if (mlen < 8) - s.x0 ^= INS_BYTE64(0x80, mlen); - else - s.x1 ^= INS_BYTE64(0x80, mlen % 8); + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} - // finalization - s.x2 ^= K0; - s.x3 ^= K1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - // set tag - *(u64*)c = U64BIG(s.x3); - *(u64*)(c + 8) = U64BIG(s.x4); +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/round.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64/round.h index cd8ec34..e5ceb5a 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/round.h @@ -4,49 +4,43 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint8_t C) { state_t t; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - t.x0 = XOR(s->x0, AND(NOT(s->x1), s->x2)); - t.x2 = XOR(s->x2, AND(NOT(s->x3), s->x4)); - t.x4 = XOR(s->x4, AND(NOT(s->x0), s->x1)); - t.x1 = XOR(s->x1, AND(NOT(s->x2), s->x3)); - t.x3 = XOR(s->x3, AND(NOT(s->x4), s->x0)); - t.x1 = XOR(t.x1, t.x0); - t.x3 = XOR(t.x3, t.x2); - t.x0 = XOR(t.x0, t.x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; /* linear layer */ - s->x2 = XOR(t.x2, ROR(t.x2, 6 - 1)); - s->x3 = XOR(t.x3, ROR(t.x3, 17 - 10)); - s->x4 = XOR(t.x4, ROR(t.x4, 41 - 7)); - s->x0 = XOR(t.x0, ROR(t.x0, 28 - 19)); - s->x1 = XOR(t.x1, ROR(t.x1, 61 - 39)); - s->x2 = XOR(t.x2, ROR(s->x2, 1)); - s->x3 = XOR(t.x3, ROR(s->x3, 10)); - s->x4 = XOR(t.x4, ROR(s->x4, 7)); - s->x0 = XOR(t.x0, ROR(s->x0, 19)); - s->x1 = XOR(t.x1, ROR(s->x1, 39)); - s->x2 = NOT(s->x2); + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64/word.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/ascon.h index 471e4a5..70a4dee 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/ascon.h @@ -5,10 +5,20 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + #define ASCON_ABSORB 0x1 #define ASCON_SQUEEZE 0x2 #define ASCON_INSERT 0x4 @@ -19,8 +29,8 @@ typedef struct { void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode); -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, const uint8_t* ad, uint64_t adlen, const uint8_t* npub, const uint8_t* k, uint8_t mode); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/config.h index a4f5879..f5873d0 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/config.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 0 +#define ASCON_INLINE_MODE 1 #endif /* inline all permutations */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/encrypt.c index 4a5b335..c6100f6 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/encrypt.c @@ -1,26 +1,95 @@ #include "api.h" #include "ascon.h" -#include "crypto_aead.h" #include "permutations.h" #include "printstate.h" -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, - const uint8_t* ad, uint64_t adlen, const uint8_t* npub, - const uint8_t* k, uint8_t mode); +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ state_t s; - (void)nsec; - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; - /* ascon encryption */ - ascon_aead(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); - /* set tag */ - STOREBYTES(c + mlen, s.x3, 8); - STOREBYTES(c + mlen + 8, s.x4, 8); - return 0; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/round.h index b4635a6..afdf76e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/update.c index fbed933..b81b24e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/update.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/update.c @@ -3,42 +3,75 @@ #include "permutations.h" #include "printstate.h" +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode) { - const int rate = 16; - const int nr = 8; - word_t tmp0, tmp1; - int n = 0, n0 = 0, n1 = 0; - while (len) { - /* determine block size */ - n0 = len < 8 ? len : 8; - n1 = len < 8 ? 0 : (len < 16 ? len - 8 : 8); - n = n0 + n1; +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { /* absorb data */ - tmp0 = LOAD(in, n0); - s->x0 = XOR(s->x0, tmp0); - if (n1) tmp1 = LOAD(in + 8, n1); - if (n1) s->x1 = XOR(s->x1, tmp1); +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } /* extract data */ if (mode & ASCON_SQUEEZE) { - STORE(out, s->x0, n0); - if (n1) STORE(out + 8, s->x1, n1); + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); } /* insert data */ if (mode & ASCON_INSERT) { - s->x0 = CLEAR(s->x0, n0); - s->x0 = XOR(s->x0, tmp0); - if (n1) s->x1 = CLEAR(s->x1, n1); - if (n1) s->x1 = XOR(s->x1, tmp1); + s->x[i] = tmp; + printstate("insert ciphertext", s); } /* compute permutation for full blocks */ - if (n == rate) P(s, nr); - in += n; - out += n; - len -= n; +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; } - if (n % rate < 8) - s->x0 = XOR(s->x0, PAD(n0 % 8)); - else - s->x1 = XOR(s->x1, PAD(n1 % 8)); + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt64_lowsize/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/api.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/config.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/config.h index f5873d0..a4f5879 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/config.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 1 +#define ASCON_INLINE_MODE 0 #endif /* inline all permutations */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/opt8/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.c b/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/round.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/round.h index b4635a6..c059bbc 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/round.h @@ -4,50 +4,61 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); +forceinline void LINEAR_LAYER(state_t* s, uint64_t xtemp) { + uint64_t temp; + temp = s->x[2] ^ ROR(s->x[2], 28 - 19); + s->x[0] = s->x[2] ^ ROR(temp, 19); + temp = s->x[4] ^ ROR(s->x[4], 6 - 1); + s->x[2] = s->x[4] ^ ROR(temp, 1); + temp = s->x[1] ^ ROR(s->x[1], 41 - 7); + s->x[4] = s->x[1] ^ ROR(temp, 7); + temp = s->x[3] ^ ROR(s->x[3], 61 - 39); + s->x[1] = s->x[3] ^ ROR(temp, 39); + temp = xtemp ^ ROR(xtemp, 17 - 10); + s->x[3] = xtemp ^ ROR(temp, 10); } -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); +forceinline void NONLINEAR_LAYER(state_t* s, word_t* xtemp, uint8_t pos) { + uint8_t t0; + uint8_t t1; + uint8_t t2; + // Based on the round description of Ascon given in the Bachelor's thesis: + //"Optimizing Ascon on RISC-V" of Lars Jellema + // see https://github.com/Lucus16/ascon-riscv/ + t0 = XOR8(s->b[1][pos], s->b[2][pos]); + t1 = XOR8(s->b[0][pos], s->b[4][pos]); + t2 = XOR8(s->b[3][pos], s->b[4][pos]); + s->b[4][pos] = OR8(s->b[3][pos], NOT8(s->b[4][pos])); + s->b[4][pos] = XOR8(s->b[4][pos], t0); + s->b[3][pos] = XOR8(s->b[3][pos], s->b[1][pos]); + s->b[3][pos] = OR8(s->b[3][pos], t0); + s->b[3][pos] = XOR8(s->b[3][pos], t1); + s->b[2][pos] = XOR8(s->b[2][pos], t1); + s->b[2][pos] = OR8(s->b[2][pos], s->b[1][pos]); + s->b[2][pos] = XOR8(s->b[2][pos], t2); + s->b[1][pos] = AND8(s->b[1][pos], NOT8(t1)); + s->b[1][pos] = XOR8(s->b[1][pos], t2); + s->b[0][pos] = OR8(s->b[0][pos], t2); + (*xtemp).b[pos] = XOR8(s->b[0][pos], t0); } -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint8_t C) { word_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->b[2][0] = XOR8(s->b[2][0], C); /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + for (uint8_t i = 0; i < 8; i++) NONLINEAR_LAYER(s, &xtemp, i); /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + LINEAR_LAYER(s, xtemp.x); printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/opt8/word.h b/ascon/Implementations/crypto_aead/ascon128av12/opt8/word.h index cda2e83..4fd3cf0 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/opt8/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/opt8/word.h @@ -2,17 +2,19 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" typedef union { - uint64_t w; + uint64_t x; + uint32_t w[2]; uint8_t b[8]; } word_t; -#define U64TOWORD WORD_T -#define WORDTOU64 UINT64_T +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) #define XMUL(i, x) \ do { \ @@ -21,8 +23,8 @@ typedef union { b.b[(byte_rol + (i) + 1) & 0x7] ^= tmp >> 8; \ } while (0) -forceinline word_t ROR(word_t a, int n) { - word_t b = {.w = 0ull}; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t a = {.x = x}, b = {.x = 0ull}; int bit_rol = (64 - n) & 0x7; int byte_rol = (64 - n) >> 3; uint16_t tmp; @@ -34,73 +36,63 @@ forceinline word_t ROR(word_t a, int n) { XMUL(5, bit_rol); XMUL(6, bit_rol); XMUL(7, bit_rol); - return b; + return b.x; } -forceinline word_t WORD_T(uint64_t x) { return (word_t){.w = x}; } +forceinline uint8_t NOT8(uint8_t a) { return ~a; } -forceinline uint64_t UINT64_T(word_t w) { return w.w; } +forceinline uint8_t XOR8(uint8_t a, uint8_t b) { return a ^ b; } -forceinline word_t NOT(word_t a) { - a.w = ~a.w; - return a; -} - -forceinline word_t XOR(word_t a, word_t b) { - a.w ^= b.w; - return a; -} +forceinline uint8_t AND8(uint8_t a, uint8_t b) { return a & b; } -forceinline word_t AND(word_t a, word_t b) { - a.w &= b.w; - return a; -} +forceinline uint8_t OR8(uint8_t a, uint8_t b) { return a | b; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - return (word_t){.w = lo2hi.w << 32 | hi2lo.w >> 32}; +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { - uint64_t result = a.w | b.w; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return WORD_T(0x80ull << (56 - 8 * i)); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } -forceinline uint64_t MASK(int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - return ~0ull >> (64 - 8 * n); + uint64_t mask = ~0ull >> (8 * n); + return w & mask; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); - return AND(w, WORD_T(mask)); + return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/api.h b/ascon/Implementations/crypto_aead/ascon128av12/ref/api.h index 2d904bf..0eec2d1 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/api.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/ref/ascon.h index c998868..78a7c27 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/ascon.h @@ -4,7 +4,7 @@ #include typedef struct { - uint64_t x0, x1, x2, x3, x4; + uint64_t x[5]; } state_t; -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/constants.h b/ascon/Implementations/crypto_aead/ascon128av12/ref/constants.h new file mode 100644 index 0000000..dc3d36d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV \ + (((uint64_t)(ASCON_128_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) + +#define ASCON_128A_IV \ + (((uint64_t)(ASCON_128A_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128A_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128A_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128A_PB_ROUNDS) << 32)) + +#define ASCON_80PQ_IV \ + (((uint64_t)(ASCON_80PQ_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) + +#define ASCON_HASH_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32) | \ + ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) + +#define ASCON_HASHA_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32) | \ + ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) + +#define ASCON_XOF_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32)) + +#define ASCON_XOFA_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32)) + +#define ASCON_PRF_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_PRF_OUT_RATE * 8) << 48) | \ + ((uint64_t)(0x80 | ASCON_PRF_PA_ROUNDS) << 40)) + +#define ASCON_MAC_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_PRF_OUT_RATE * 8) << 48) | \ + ((uint64_t)(0x80 | ASCON_PRF_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_PRF_BYTES * 8) << 0)) + +#define ASCON_PRFS_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(0x40 | ASCON_PRF_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_PRF_BYTES * 8) << 32)) + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/ref/encrypt.c index c818325..e1e879c 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/encrypt.c @@ -23,46 +23,50 @@ int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, /* initialize */ state_t s; - s.x0 = ASCON_128A_IV; - s.x1 = K0; - s.x2 = K1; - s.x3 = N0; - s.x4 = N1; + s.x[0] = ASCON_128A_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); P12(&s); - s.x3 ^= K0; - s.x4 ^= K1; - printstate("initialization", &s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); if (adlen) { /* full associated data blocks */ while (adlen >= ASCON_128A_RATE) { - s.x0 ^= LOADBYTES(ad, 8); - s.x1 ^= LOADBYTES(ad + 8, 8); + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, 8); + printstate("absorb adata", &s); P8(&s); ad += ASCON_128A_RATE; adlen -= ASCON_128A_RATE; } /* final associated data block */ if (adlen >= 8) { - s.x0 ^= LOADBYTES(ad, 8); - s.x1 ^= LOADBYTES(ad + 8, adlen - 8); - s.x1 ^= PAD(adlen - 8); + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, adlen - 8); + s.x[1] ^= PAD(adlen - 8); } else { - s.x0 ^= LOADBYTES(ad, adlen); - s.x0 ^= PAD(adlen); + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); } + printstate("pad adata", &s); P8(&s); } /* domain separation */ - s.x4 ^= 1; - printstate("process associated data", &s); + s.x[4] ^= 1; + printstate("domain separation", &s); /* full plaintext blocks */ while (mlen >= ASCON_128A_RATE) { - s.x0 ^= LOADBYTES(m, 8); - s.x1 ^= LOADBYTES(m + 8, 8); - STOREBYTES(c, s.x0, 8); - STOREBYTES(c + 8, s.x1, 8); + s.x[0] ^= LOADBYTES(m, 8); + s.x[1] ^= LOADBYTES(m + 8, 8); + STOREBYTES(c, s.x[0], 8); + STOREBYTES(c + 8, s.x[1], 8); + printstate("absorb plaintext", &s); P8(&s); m += ASCON_128A_RATE; c += ASCON_128A_RATE; @@ -70,30 +74,145 @@ int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, } /* final plaintext block */ if (mlen >= 8) { - s.x0 ^= LOADBYTES(m, 8); - s.x1 ^= LOADBYTES(m + 8, mlen - 8); - STOREBYTES(c, s.x0, 8); - STOREBYTES(c + 8, s.x1, mlen - 8); - s.x1 ^= PAD(mlen - 8); + s.x[0] ^= LOADBYTES(m, 8); + s.x[1] ^= LOADBYTES(m + 8, mlen - 8); + STOREBYTES(c, s.x[0], 8); + STOREBYTES(c + 8, s.x[1], mlen - 8); + s.x[1] ^= PAD(mlen - 8); } else { - s.x0 ^= LOADBYTES(m, mlen); - STOREBYTES(c, s.x0, mlen); - s.x0 ^= PAD(mlen); + s.x[0] ^= LOADBYTES(m, mlen); + STOREBYTES(c, s.x[0], mlen); + s.x[0] ^= PAD(mlen); } c += mlen; - printstate("process plaintext", &s); + printstate("pad plaintext", &s); /* finalize */ - s.x2 ^= K0; - s.x3 ^= K1; + s.x[2] ^= K0; + s.x[3] ^= K1; + printstate("final 1st key xor", &s); P12(&s); - s.x3 ^= K0; - s.x4 ^= K1; - printstate("finalization", &s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); /* set tag */ - STOREBYTES(c, s.x3, 8); - STOREBYTES(c + 8, s.x4, 8); + STOREBYTES(c, s.x[3], 8); + STOREBYTES(c + 8, s.x[4], 8); return 0; } + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + + if (clen < CRYPTO_ABYTES) return -1; + + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + + /* load key and nonce */ + const uint64_t K0 = LOADBYTES(k, 8); + const uint64_t K1 = LOADBYTES(k + 8, 8); + const uint64_t N0 = LOADBYTES(npub, 8); + const uint64_t N1 = LOADBYTES(npub + 8, 8); + + /* initialize */ + state_t s; + s.x[0] = ASCON_128A_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); + + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_128A_RATE) { + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, 8); + printstate("absorb adata", &s); + P8(&s); + ad += ASCON_128A_RATE; + adlen -= ASCON_128A_RATE; + } + /* final associated data block */ + if (adlen >= 8) { + s.x[0] ^= LOADBYTES(ad, 8); + s.x[1] ^= LOADBYTES(ad + 8, adlen - 8); + s.x[1] ^= PAD(adlen - 8); + } else { + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + } + printstate("pad adata", &s); + P8(&s); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + + /* full ciphertext blocks */ + clen -= CRYPTO_ABYTES; + while (clen >= ASCON_128A_RATE) { + uint64_t c0 = LOADBYTES(c, 8); + uint64_t c1 = LOADBYTES(c + 8, 8); + STOREBYTES(m, s.x[0] ^ c0, 8); + STOREBYTES(m + 8, s.x[1] ^ c1, 8); + s.x[0] = c0; + s.x[1] = c1; + printstate("insert ciphertext", &s); + P8(&s); + m += ASCON_128A_RATE; + c += ASCON_128A_RATE; + clen -= ASCON_128A_RATE; + } + /* final ciphertext block */ + if (clen >= 8) { + uint64_t c0 = LOADBYTES(c, 8); + uint64_t c1 = LOADBYTES(c + 8, clen - 8); + STOREBYTES(m, s.x[0] ^ c0, 8); + STOREBYTES(m + 8, s.x[1] ^ c1, clen - 8); + s.x[0] = c0; + s.x[1] = CLEARBYTES(s.x[1], clen - 8); + s.x[1] |= c1; + s.x[1] ^= PAD(clen - 8); + } else { + uint64_t c0 = LOADBYTES(c, clen); + STOREBYTES(m, s.x[0] ^ c0, clen); + s.x[0] = CLEARBYTES(s.x[0], clen); + s.x[0] |= c0; + s.x[0] ^= PAD(clen); + } + c += clen; + printstate("pad ciphertext", &s); + + /* finalize */ + s.x[2] ^= K0; + s.x[3] ^= K1; + printstate("final 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); + + /* set tag */ + uint8_t t[16]; + STOREBYTES(t, s.x[3], 8); + STOREBYTES(t + 8, s.x[4], 8); + + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= c[i] ^ t[i]; + result = (((result - 1) >> 8) & 1) - 1; + + return result; +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/permutations.h b/ascon/Implementations/crypto_aead/ascon128av12/ref/permutations.h index ff5724d..3b9b892 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/permutations.h @@ -4,73 +4,11 @@ #include #include "ascon.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV \ - (((uint64_t)(ASCON_128_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) - -#define ASCON_128A_IV \ - (((uint64_t)(ASCON_128A_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128A_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128A_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128A_PB_ROUNDS) << 32)) - -#define ASCON_80PQ_IV \ - (((uint64_t)(ASCON_80PQ_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) - -#define ASCON_HASH_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32) | \ - ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) - -#define ASCON_HASHA_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32) | \ - ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) - -#define ASCON_XOF_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32)) - -#define ASCON_XOFA_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32)) - static inline void P12(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0xf0); ROUND(s, 0xe1); ROUND(s, 0xd2); @@ -86,7 +24,6 @@ static inline void P12(state_t* s) { } static inline void P8(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0xb4); ROUND(s, 0xa5); ROUND(s, 0x96); @@ -98,7 +35,6 @@ static inline void P8(state_t* s) { } static inline void P6(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0x96); ROUND(s, 0x87); ROUND(s, 0x78); diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.c b/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.h b/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/round.h b/ascon/Implementations/crypto_aead/ascon128av12/ref/round.h index 64ad619..879e895 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/round.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/round.h @@ -5,36 +5,36 @@ #include "printstate.h" static inline uint64_t ROR(uint64_t x, int n) { - return (x << (64 - n)) | (x >> n); + return x >> n | x << (-n & 63); } static inline void ROUND(state_t* s, uint8_t C) { state_t t; /* addition of round constant */ - s->x2 ^= C; + s->x[2] ^= C; /* printstate(" round constant", s); */ /* substitution layer */ - s->x0 ^= s->x4; - s->x4 ^= s->x3; - s->x2 ^= s->x1; + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; /* start of keccak s-box */ - t.x0 = s->x0 ^ (~s->x1 & s->x2); - t.x1 = s->x1 ^ (~s->x2 & s->x3); - t.x2 = s->x2 ^ (~s->x3 & s->x4); - t.x3 = s->x3 ^ (~s->x4 & s->x0); - t.x4 = s->x4 ^ (~s->x0 & s->x1); + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); /* end of keccak s-box */ - t.x1 ^= t.x0; - t.x0 ^= t.x4; - t.x3 ^= t.x2; - t.x2 = ~t.x2; + t.x[1] ^= t.x[0]; + t.x[0] ^= t.x[4]; + t.x[3] ^= t.x[2]; + t.x[2] = ~t.x[2]; /* printstate(" substitution layer", &t); */ /* linear diffusion layer */ - s->x0 = t.x0 ^ ROR(t.x0, 19) ^ ROR(t.x0, 28); - s->x1 = t.x1 ^ ROR(t.x1, 61) ^ ROR(t.x1, 39); - s->x2 = t.x2 ^ ROR(t.x2, 1) ^ ROR(t.x2, 6); - s->x3 = t.x3 ^ ROR(t.x3, 10) ^ ROR(t.x3, 17); - s->x4 = t.x4 ^ ROR(t.x4, 7) ^ ROR(t.x4, 41); + s->x[0] = t.x[0] ^ ROR(t.x[0], 19) ^ ROR(t.x[0], 28); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61) ^ ROR(t.x[1], 39); + s->x[2] = t.x[2] ^ ROR(t.x[2], 1) ^ ROR(t.x[2], 6); + s->x[3] = t.x[3] ^ ROR(t.x[3], 10) ^ ROR(t.x[3], 17); + s->x[4] = t.x[4] ^ ROR(t.x[4], 7) ^ ROR(t.x[4], 41); printstate(" round output", s); } diff --git a/ascon/Implementations/crypto_aead/ascon128av12/ref/word.h b/ascon/Implementations/crypto_aead/ascon128av12/ref/word.h index 4af47e3..3157950 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/ref/word.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/ref/word.h @@ -2,11 +2,9 @@ #define WORD_H_ #include +#include -#define WORDTOU64 -#define U64TOWORD - -typedef uint64_t word_t; +typedef uint64_t uint64_t; /* get byte from 64-bit Ascon word */ #define GETBYTE(x, i) ((uint8_t)((uint64_t)(x) >> (56 - 8 * (i)))) diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/LWC_AEAD_KAT_128_128.txt b/ascon/Implementations/crypto_aead/ascon128bi32v12/LWC_AEAD_KAT_128_128.txt new file mode 100644 index 0000000..d91b9e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/LWC_AEAD_KAT_128_128.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = +CT = 2BB7DDC855146A659933C1D1CC29B2CC + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00 +CT = 20546C52360E0D25BAC5C8A56E5C0C65 + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001 +CT = 2034404D9BF73D53A14165A8072AFD19 + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102 +CT = 10A4A74D83DAFCD6D23A4F203E14E96A + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203 +CT = 3DE4142FDAE30294E7790DF3EB988145 + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304 +CT = FC7354FFC308FDFE023D4439B68BFE76 + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405 +CT = 16C35A7F3C78B031942CBB566C8B236E + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506 +CT = EDBB764953621E3D81FD957DD8154174 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304050607 +CT = BBA76D4FA7A9F4EB5756E4337696ABB7 + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708 +CT = 83BB56A76B47AAE34CB2E4326378B850 + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506070809 +CT = 9BF45871726958D815741882DB89530F + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A +CT = 2BF9CE6ED16014B2C476DA5C73B5780B + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B +CT = 1FD7D89C67D26EA44EDD34D33AFCE052 + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C +CT = DA3A21DC37ACD9686C0C9B16591F1F32 + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D +CT = 1B92B3C865B26813CCF28B0993B0538F + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E +CT = A2C38D42B189CBA983C664ABF0CD68BF + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = 339844DA212DBD0863C844570B5C8F86 + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = E5F4BEED91B428B843886A8F2577210F + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 580F7559DB0F8547CE6F7CFA0DE66A1E + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 115405555F5C351D910933C8A9F431BC + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 79E33FDC89DDC70B80D9190C78F56F2E + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 0D19DA45743E1983B82B644701565B87 + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FFBD8ECE8DE5A5EBDA8FB0AE4D0D0A85 + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 1059627D5BE37FFEDACAA1E7F4B5A2BA + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = A60BDAAE35959910182336D866868527 + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C42F66C07219B19053CE9D81A4ADC447 + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 1AF7EA2A3F825C05C3AC6E547B4AF18C + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 965E5A621A0B14791AE0C8A64F7AFA25 + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 9B0399828555E46BB740D4407AC170E1 + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 4CA17EF9F4F12DF3396106A9EB0F4367 + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B50F65D640CE81E453B828FED4580DA3 + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 6433D07D5AF0453A347E9C1C93AF5BD4 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = CE010C4D87ADFA20C021269B8B853FA8 + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = +CT = BCA68DF9A2851AA0E338E6F8FA5046B87E + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00 +CT = A1956DC0F884D5A2828966977FEA1C65BA + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001 +CT = E65B30B8CC8C34B7D5BAC4CB7DCB2F3B3D + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102 +CT = C76096E14C428440A724063148FA15898F + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203 +CT = 59F3EE72B7BF12A015828FE0373257F6AA + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304 +CT = 07F3F8A9B269A25FEEFFFDD529C9EE9392 + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405 +CT = 59570C3F6BAF15311630E6FBC3B9AE09FC + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506 +CT = 2AA244DA76567557226115C0B319A0C3AA + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304050607 +CT = 3F5F79256986853A1B8F5A54ACB37DACDD + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708 +CT = C224E6DF3E91DAA05A3A5F29FF6F8C2F9E + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506070809 +CT = 032A5211EB3B3862E18F1E8BC21307E1BA + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A +CT = F8359CE0B8EAADA9EF3B4D571B8F5B8F75 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B +CT = D367F71F09219E560621E8A07EC7D607EB + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C +CT = 1DF2E670B2AF9CAAB15EEC4E327F6F3926 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = AF7338CEF7CBCC84EF286A2252EB075366 + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = 299868E3947A77965ED9FB1E18E51A1539 + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = 23F8B5EC7999D51DD81A96699C34C70512 + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 8995AD793F8D280F4757E7254971EA0C73 + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 07AAC3E10F4FEF821FD434837F983D9CF7 + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C5E952A2EE092BD7E4882817BD4FC7137 + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8479468F8B28CACA42EECF433FDAE158A + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B4ADE8AD5D3B875C1B795A036CCF9EEA23 + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E3EA240093D4A7F1940E18DB67782E9E6 + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A8762A5CBAC4810DFA727115DE93688E4A + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A9D2BD7DB9DD727C9B300003429E51C0 + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 4899E7B97B2CA945FA89204945DEF27652 + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A360C5DAE529B6799EEFAF0EF0759C623B + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 7963895FA477C584F381C1262F7F44781F + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 54772EAFC51D7DB8932D36E2A5710CF951 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 24E85F2D9A039CD16F7BD098BDE6204785 + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C3797E86D6465A692D37732373569A70DC + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B151E75BC311474244F9377A4032DB9B6F + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F41A80CE1CC3B7C1F8509D7302C0EFB8BA + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = +CT = BC3D3E03DF6BB15FB0AE1FDE0A981EA01500 + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00 +CT = A18A78AF944255A9801512E362617FFCAB01 + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001 +CT = E6965F5280BDF871A1F5E2C3E2E3BB0FFF80 + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102 +CT = C71132D2DF3C4DF526A5BD30CBBF12D070C0 + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203 +CT = 59F83F905CCE324E72C39BCD442388838E57 + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304 +CT = 07C9787431D76F3E77B04AC4CAD78AC9BF21 + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405 +CT = 59362002FA75F92D30C97B1A273DC8BF7487 + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506 +CT = 2ABB9193828DF9F06700BB389B9B3F1752AD + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304050607 +CT = 3FD7063312DCAB430A6E984C444045AF3221 + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708 +CT = C2549EDE41C9ECA1CAE67576D0AEF8E25A97 + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506070809 +CT = 03344342E5F4BF38E7C38CF3227C661CE2A5 + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A +CT = F86B13143D45283C6A7982DB9710C8FB253D + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B +CT = D3F15ED5CAA5843A8C1FC5F8E83AF31F404C + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C +CT = 1D9416B8959C915F2CDFF1B790071C21A4DD + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = AFCC57367104F9636FC66450B3357C413E41 + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = 2931EE2F549170B49AB20FA084149FFDA75B + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A7C1A22931DF85241A67429274B15410F + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DCB4244AB3421767A49E265B3261DC2C5D + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798DF82230B419E2F53EC828FCAE3843D64 + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49CAFC3A2C1528B85A64DB2DB5288C5342 + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A7507BCFABA50F37A8949AA409EAF0C136 + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B4663E5545F323AF2C69CAE63A24BAC59325 + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E923412BD1EE236F2E0EE9967076BE46363 + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DFD2F0726ED2F85F83AABB75709683B28 + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A68A553BDEE99DBBDC8402DF5C108B7C2F + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2AE3162CF36477EA874300BCCD4211388 + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E1E02210139C70A63D631BCB2AB0104B55 + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C72A8F6B5F5929884663930E5C17048CCB + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 5425571E26D4EF170DF5BCF5A679EE9D6ED8 + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473B073E75D95D88B043C8E7891E94C4041 + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C3485CA57959F3F4828E6F8EC961EF5A63B6 + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B1331AB09635711A4EF1CC09024A8843FE19 + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43F37A867EB7F125CAD8FB0B2D9E0253753 + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = +CT = BC3DC569B63B2B9A3580C7B2A1DDEA8CB6545A + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00 +CT = A18A7E964A39B1F5C0DDEF5223294F5D066563 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001 +CT = E6968F18ED13AACD14512A0C8E178153658810 + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102 +CT = C7119EB8AF8715B082EFB6926FDB5FB145A71A + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203 +CT = 59F8F2626BE0FBFC87B227E17982C8C8C9BC9E + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304 +CT = 07C91C6B9526627625CDC37369F0055897544C + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405 +CT = 59364BD2AB5D746ABF6C0165D97A3D02F6DF07 + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506 +CT = 2ABB7B2038E1FD75FBA6377A7354E3C6F1CE46 + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304050607 +CT = 3FD789E8F14953F28EB57921834CD7FBD42889 + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708 +CT = C254109D8F623ACE3EDCCB38DF3E208EAEA30D + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506070809 +CT = 0334A68A6E509AA2FE25C0C05EA262B7093CB6 + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A +CT = F86B45FEFA1B85B47AE0BAD9C952C04C1125D8 + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B +CT = D3F1449F72CE9ACF9C6A2B832B7B01FAF45768 + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C +CT = 1D94EE0AFDDD5886AFE81726E6117B0D69B413 + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD801268D9B521D5E29BE577280716E0C5 + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB23BE45C08BB6738A94049CBDDFF2FCA7 + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3D6631745489332D317D7BB59343728C1A + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC931326A5AD26AE03B71CFF3775AE993A96 + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 079866B96A33B4FFD95F42F3C0784464793452 + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1E01A2EF85CA559E75289B29F16ADC9F9 + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B2033BEC502850CBD81930F561A920872 + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4A948352F707775017CE061047F65250A + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E92739F752B0E9D40B37C4EF4DA61889C60D9 + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB09FF84D6F3A8BCCEA37A535111D62E79D + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A6084A1D92A27D0FD5DDDCF18BF978799E4C + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF630858DB58030A8EF76C3650C772F130 + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C65C6BB9F4C6198BF6CEAAEED2E73DC04 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEE9B0DEA810F0986A3630A46FD465ADEF + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 5425478A5D9558A61AC0C83A04FB007E8500F7 + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EFEF160B57B613C4171BDBF643187A03A0 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348629874B66B568FB0453E68A38871F68D63 + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379C0805155DDE104B9590703A2ABCEE62A + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD9F3B562126F3714B6D8EB084801A85C4 + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = +CT = BC3DC525E83EFCE2965E3C537F8E93CEB3CE2A24 + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00 +CT = A18A7E6D9DD53E73EE323E038D1F256B1EDC27CF + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001 +CT = E6968F13108C9D6DC9B1B9F0FE2507458B415B8A + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102 +CT = C7119EB324176E2888AFB6BF9C1C58C9C85D5B20 + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203 +CT = 59F8F2674D879CCB017AA3BFE4FEFF6B9574C941 + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304 +CT = 07C91CFB8116646F11C36AE8CCFE17CCC141AE42 + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405 +CT = 59364B8EC5F8F16FE5FDF433A98D67CF0378C1AE + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506 +CT = 2ABB7B3DF109FE4F5EF38622A789E050B3259569 + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304050607 +CT = 3FD7897D6E0B20DB0DBDBB0A640BCEE4AB065A1F + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708 +CT = C2541014B7F324938C6A8C2D77A1730970EC99FD + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506070809 +CT = 0334A6C7DDB01D6C0E6F433ED5D2FA4F01550602 + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A +CT = F86B45F424A402D5C8478E9DD6F700F229860687 + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B +CT = D3F144B4C7F1CB076DEEF5A2AD46397C5DDF9649 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = 1D94EE877BB6DC6DDCABE9F15798A08EE734C562 + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD256CC7E289C46495114750E94A47D7292A + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB86CCA42CA0AD1565428039B2E1D1765A35 + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7237DDB8C687AD2C7A992B8C6576114F5 + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD91B819BC489C0EB3599AB52D10D20A3D + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661FB06154DF98EEC70F4CBAB0D9AF1D6F97 + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D14667B4C47A56AC9DCE6A3EA731E8F506 + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D29F4283A3E8561E4AB2D1BDA4BEEF3E8 + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D1AF5F76A81F9FE794C65EAC19861DB7C5 + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366C44D24A7A4F82EE7DE9AF9F0B18F9C4B + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBEFCD6E41B5DE26FC6ED979E499D0F707 + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A608609B0CE2D0928F4E3F6E6EF2E49949C475 + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF8246098C9BE83A890351F779F1552FD0E8 + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5E16748268CBD53BDEADDED128A26F0020 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6762C00615DB392EA265AA3B32CA409F0 + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DEEED3508B48854EA07DC86F54E1EFE963 + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42CCF8CD9C8D3616800E5D936D2D3D0B8E + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C34862558C23F38DEEB7B98679B5511655C21EF0 + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F8DAE18C7229A6DB7DB45C310B5094C7F5 + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8ED6E07EA254B101E92F186388D134DE20 + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = +CT = BC3DC5253B7C59DA641D5AC9B942C794B93DDB08C9 + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00 +CT = A18A7E6DA2D6A3A96218E5B8E91A8671D97CE37B46 + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001 +CT = E6968F13AE1BB1FEC2B4023C887E10A1941268F52B + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102 +CT = C7119EB3EEF478B33FA3F64A9DF957E2BE1641840F + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203 +CT = 59F8F267DF8FE61C0B6EB8C19400EA13719404A193 + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304 +CT = 07C91CFB993D20D5820AC959B5E06CDFF7E8B4415E + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405 +CT = 59364B8EBF9F84927BDD145689DC22E52ECE3E84B9 + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506 +CT = 2ABB7B3DBF4EEEFF2486388A31B79BC4B6AECCB969 + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304050607 +CT = 3FD7897D5AB0883013FCBE8092535AA1DE1612C4A1 + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708 +CT = C2541014DE87FAF172D617B92682F307F76D3DBD24 + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506070809 +CT = 0334A6C7897BFEC1B8DC4B5684C9984B699BEA9C7E + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A +CT = F86B45F4A7011DF8EA0D61308D05E3BA75EDDEC95C + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B +CT = D3F144B4B13691E1F3B82A9857B756152296307857 + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6B2990818D04567EA102CE91D75B93A34 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD2528A97803BB7FB228E5CF5D6B31889083E3 + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866D66F303A2B8FEE797F69C1A516B448711 + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE707A647167336ABD3EDDDA379F91958EE34 + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5B67B402CC09475AF52961C6B53BD0F465 + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F5236BF69BC516C391419E7CD1000C3C1CF + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D149CB50957A03A2C61A220ED5C693E3E107 + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12563F3C2779F4BA0A5A67CABA028DBBBF + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D1040E1CE42237A075EECAA3E9D6ED294496 + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B12F1500814A2A384D66EDA4896036DF2F + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1F33E8FAE2CB4859CCEAA264EA5F19307 + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E5674FC9A709ADC66AC3EA4E788D73197B + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF8282F761835131C118D3E44EEC062923A748 + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF08DD00B96404E208F6434B29B80EF331 + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E9192E30F5DD538508E8A4538B1650AAB5 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8DBA069033304B3263110BAB25C14E4A26 + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0092E078BF4696CCF9618F0D81B2E526D + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C3486255128C214D426F3406C02AAABE8688A2D443 + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F8913643273D9EA3BE36A843F403320AD92D + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE4985C49246054BE7CC22546367E391D29 + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = +CT = BC3DC5253B5E10AC02958BE528FCC1B2E2271652C452 + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00 +CT = A18A7E6DA2BDF34D3EBEF499989C7BE57DEB204AE3DB + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001 +CT = E6968F13AECCECF81376A6B20E00D41E8D5BD6D77E1E + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102 +CT = C7119EB3EEFD49B5B625BC24E482E4C50F5EAEFF2BB8 + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203 +CT = 59F8F267DF3A4F538C5B821E944732C5A1F50D12E956 + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304 +CT = 07C91CFB99C3767E2E1E80EDD05983B147AC085D1357 + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405 +CT = 59364B8EBFDDB7BAD1D0960AAB37E719E914749E8892 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506 +CT = 2ABB7B3DBF9D8E17F5C5AC5CAE025620E586BC9859A3 + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304050607 +CT = 3FD7897D5A510D3D96D70F226EE83054AE33829DFE54 + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708 +CT = C2541014DEED7622A42F221284AD4AF67C1FF61B5820 + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506070809 +CT = 0334A6C789255A428A12445B9DD964AC3D495FCBC44F + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A +CT = F86B45F4A76A834D4B1B83CB52062F79109975EB6A02 + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B +CT = D3F144B4B1B98245ADE1982B87866707C7B8E3241A21 + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B63004B87AA70C7687D76E5192FEAF3F1CED + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871E31F307B802D5CA6EB1DA5B4A562C153 + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDAC5AFEDF40E904889A8E4A43D1771FF36 + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073DFBF03CCF5F23DEB9B88F4E24BF4F5CCB + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF344BCD855E460EE24E2607094EA038381 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522E67475982C90F4A5B571B0A397BBD2C1A + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491C0BEA5F5A9FDD22F0F80794BD9C8241A2 + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D1275F1A7EBAC78DE9E4AB8117D57BC7D2967 + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB6EFD73A0B805E6BECA66EC891265080E + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B15781043E92A19359C5207A3B6374599F3F + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B649263BF239EE6670450F779775FC429A + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDFDD8BE256941393337ABE8602026972 + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820DB56D4849D46249BE020AA83F898EC480 + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF824D64FCBC0AD2999391392E5BADF0DB73 + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94E3E0159AF47317848CC823CA17C02342E + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E976F44F973A83E4CE858D35F1D0CE893 + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5EF97E786B1F1C9A5793631ABEDDE3B36 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CEDC5273A99C75FC4DB5169F8CB4EADF93 + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E720225E798AAA45B748AABF451719452D + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40CE7DD4D0A8A2F08E167AAEF708CF77EF4 + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = +CT = BC3DC5253B5E0FB88379605FEC402923390EC3280338B9 + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00 +CT = A18A7E6DA2BDD0AE7A506E1ED665EFFE4C0D71E82DAF17 + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001 +CT = E6968F13AECC54871AC4A43B18F5295EAF8ADE5DCACA29 + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102 +CT = C7119EB3EEFDF103160462D387E6CB094643A8BF2BB224 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203 +CT = 59F8F267DF3AFFE1A428BB5DEDAACE9DD34674D417C2D6 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304 +CT = 07C91CFB99C362B6D75E0FB4036DC17758E87A57FD4434 + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405 +CT = 59364B8EBFDDE37D06046B93C4589D827AD48D453FF9B4 + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC8FB067E019C14F6A75C58523839BC666 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304050607 +CT = 3FD7897D5A51C0A0A181ED84FADB9FD62B04A1918A528A + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708 +CT = C2541014DEEDFD8F47332FC780A624524C6AC1FD4A3AE7 + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506070809 +CT = 0334A6C7892507D0B540E2762F6104EDFFCF4B35783207 + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A +CT = F86B45F4A76A4384F358F1454B2F43238C98B1AAED75CD + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CF0E7926AC0F7406EAFC6535D7969BDA2D + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D4270E6D967332614EDA562CB0C1D34E4 + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4E0EECFC5ABEC3B65476E743E5C3816A8 + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA150EE243C8F7779773C900DC27EF026F6A + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04B7C62237A200A944DE84E1A2E63152E4 + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C04A13E1837D0494693E48A1E0E3DA398 + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED67AA325E476E4CA74179E374956602E0F + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC35C1FAD83F3F11BB1CCA8D3E8E353A9FF + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759E09CE80DA8E6B77BECFFC6A0989710D53 + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB250668D2EC1FA56455FE36783DB2EF2B55 + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157398F07CFD862B832007E684EA7987A06D3 + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B6678892BB9BCFCA7DEF1801712C1DF8A310 + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE54FDB748625831991735AA57D41082FD + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D707BA2ED657D8CDF9C5E49A9EBDA157202 + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E6B4B5824EA7EFC0D6F89A788341B6165 + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE876FB507720727239EAB0A05F132BE048 + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A6D98510B123B3D10F82A240278B16215 + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FA0EFD6BD2E99929EEBF65DA8E6123AAF0 + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8697595F8EC0B6589118E9ECBC774517A5 + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D496BF1C86EB3F9FA4362B30CB662D83A + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BDDCAA0EE39D1C11B87F2629DD0B3CDDD + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = +CT = BC3DC5253B5E0FAD67D407CD7E9369FB3286837C899BC103 + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00 +CT = A18A7E6DA2BDD06CCB5C2773F2DD07884F0BBEF1803CC0BD + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001 +CT = E6968F13AECC5488470BB18D9283F3F2EE80BC25607F1C06 + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102 +CT = C7119EB3EEFDF16AE7066854DAC9F5D22AAD45831F84EC50 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203 +CT = 59F8F267DF3AFF7415B737824C0B1AF6CC66EA083101AB52 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304 +CT = 07C91CFB99C36215C9827489B15F7B6B8D2CED785AD368B0 + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405 +CT = 59364B8EBFDDE3E4CAF88706C543F9AE2BDB14B8DCE75E35 + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6DE98ABD55D4A099979BFCBD1E0CBD4DA1 + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF6024D9A2117AC519496A1264AAA5C072 + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708 +CT = C2541014DEEDFD1AD1FF96F054D927045EF653A93C910610 + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506070809 +CT = 0334A6C789250759D998D176A1885014D0FA04A35DA41F48 + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A +CT = F86B45F4A76A43918B57D85B8BF61B28F6DF4F934B7D5879 + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD18D9E9F406D0515C4E25E3D1F6C45F89 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D51E044EADA01D9FD0F7AE8E67B5B8B6818 + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4450F38A628E0C88BF5F552547E2B82EA63 + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A0C37A2E13D89BCA74A8EF2F85B1E5D9C + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E7F7D49CB6F59E5C87208C5EC2FFB6DF57 + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C004AB8A7158B5673CE9E0CE182A5A78901 + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61F4002BFD368B5BE25A55394FC321FC17E + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350E0E5ED0662C199A61843E479E528504B + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFC0235C2973D41239F5BA9981907514840 + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257CFD8726868C5EF0CBF7A032DF99A83EBD + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392F1AA250016052CBABA2414E2605525D53 + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B6677989EF25FC43D03E27DFDDF9C26CB0ADA1 + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F910348C3E101B0D90D1DFE7A73322DD2 + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703EB7E596541EA637DA601621010B3C6961 + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FDD6556B7C7091B51089DB795A50ECADB + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2A690F0D1E24A604D8702AC6FFE86741C + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96839924B8ACA7038E157046E35CDF7FE5 + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFCE98372BBEF2EF605C62133CBDA5FACF + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629018DEEC33398BD6DC67B9EAB9C5097D0 + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17760486A35C915F5D041D4E920BF0717C + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66BE9F326CACAC746CA2CE090964EC927 + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = +CT = BC3DC5253B5E0FADF716EB0C8BE9EE8EA1280CA61FE9704CC2 + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00 +CT = A18A7E6DA2BDD06CE71828C201194D9F632D3FAA71835C5D5A + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001 +CT = E6968F13AECC5488620B9CEE7B59C98B9A8468B5DAF4836CA4 + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102 +CT = C7119EB3EEFDF16A8A3829CFCD1F9D0B7E9D0E4F3DDCE58146 + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203 +CT = 59F8F267DF3AFF7464D1919654B80EAFE1CC5C2F3625653352 + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304 +CT = 07C91CFB99C362153D640E2C86085D108BABECF58900412EF4 + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C919A592BB1F2449EBCA3EA5341C2D2BB0 + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D95910A2DDE6EF4E507F50B792DBA51BD6A + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58A7E4CB3F2041676196D3486DFD220A63 + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8F8A854D5593179AA9F092094F313E81E9 + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506070809 +CT = 0334A6C789250759D883A74D23D042F60DA5C673B2B69DD787 + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A78DC38855C099C2D01D2F207FAD9DFBD9 + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD55739B6481A87D5DC3ECAD6986A476A4EA + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D5610246E2BDC01C84CCBDFB139A7DF51 + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A4763B3394E693023F412EDCB0DF43583 + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A138CAB8D5DD97C1C95C124EBC9355C5D83 + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E7502CBEE1C16597B879FD1E54F0C9582B6E + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006EA63B2F7668042AC19D5AE7D701B69982 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDF737FAC2B45B5FD5C1F42C43A9E5B6A6 + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350EDFAE6B59DFAB07C4B67A6A308B7F880E7 + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF067B2FFFE148A224031B0CAB7CF655A5 + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C848A32AE41BF4CA2728BD41CB7949BF8BF + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF161E6543403673FDDAFCFB4FD56EB8CF + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B667791004A1BA5C757B78F6ECBCDE2F0C1A4098 + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F45E35CCBB91330AE67139EB6E4BECAEB4F + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E847E2D671C251189AC116933598B9B227A + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF6734FB9EE3148BBC5EF9012A2C519A438 + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C7DCEC54FEB248064078CEB28E4A2FC767 + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B092DE6F1510BD9D2712003D1F44155C69 + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD77523C642E287E118AA7761107D334F51 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A29BA8D2047B2233D44CA59450DD29D207 + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17568CB9680D211A0947AEE29853FFEA46EC + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66EA28606BFBECEA01DBFD87B49632D4382 + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = +CT = BC3DC5253B5E0FADF7C89212126ACA3EE95409D18206160392DE + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00 +CT = A18A7E6DA2BDD06CE76B572E6AEA4E24FDF58C61064CFF90544F + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001 +CT = E6968F13AECC548862F023823FF917025A1EFD19465F1045AE62 + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFE09E0F98B74EAD9F7A585E505DF1025 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203 +CT = 59F8F267DF3AFF7464D4250B73673074AE6A1B5CA26682879520 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304 +CT = 07C91CFB99C362153D3C8C108B3AAE855C2E86AC5F9558DAF738 + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93C436B01808A3DF261D8ACA8FA344C6B2C + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E81C81D95E672A6A7145BE31A45195459 + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C8D9FF3BB680A10D435B986A518152D06C + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FABE31663B3E34063C36659F198FE7147A6 + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7A33D752F29D27A2B6139555A56E68938 + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CBBF469B366C97BF35ABB3DAE503361AF0 + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508AD397E39036EF86066920E40B327D31D + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2B0657E4217F35F03FA0646EA7167F9869 + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17B5EBE9482DC61E69D6CD81BF943DCBDC + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D186FC8B839DFD2A741718A3F3C866D621 + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D426BA3DFE9D4A194D4D066C6C2B8D98A3 + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E398958A0BBB36548EF3BB9B5161A76E3E0 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC045B73CC16C64B04BC558CF36AAEAB829 + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9DA9B1D8C852E92501BE563AFCAB955CEF + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9C295DA068B64D8996C8A055910B51E674 + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B5CA4E83A544C3DE07C700644C09944B53 + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF124CA5DE4D2F1491D2E15BA659209A121F + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D4B2BDD7601FD8D34F4DCCE744C213D8D + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F45585F8011AB510DA13215DB2F7907E0C380 + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426F02A37170A8AD48B7162AAB751091C65 + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680ABDCBE9DAF6936D04539C69477163DEC + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78328C34FD5B416E749FC0973EEDE89B2E2 + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095FB1231D1D27F73393FD930208B646DCA + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721EA47DEB7CEB3271FC83FA5C29A62C0FC + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C3D596ECE783CF148EB1858D57E8454F31 + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D1756013C4E047EE1905B7EEBF6A8597D1BEC42 + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA65E06F0E8E419E4AA8FFDCA1283485 + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = +CT = BC3DC5253B5E0FADF7C84902B6E77E380871373CA3E104BA25A5C0 + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00 +CT = A18A7E6DA2BDD06CE76BA3843CA8AB20703CDFE55D05A3A6177BA6 + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001 +CT = E6968F13AECC548862F057BD9508D4881C26C618ED88ABE77BF378 + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD75A1017C124834CBF54794C1AAF38E99 + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203 +CT = 59F8F267DF3AFF7464D413C32F8EC0DA9B3FF16F506A79E3A3B5FB + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304 +CT = 07C91CFB99C362153D3C45693C7B6366FE57CC25B342E5EF0FD681 + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB5CE0C93342ECDD70E87621AEE65F9F67F + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E901FC38A4A447E6689B61872B8B39835BE + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81DF13F4214D4507C3AE8B63186EC0AE83E + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB940C47D59AE0FFCE75B5E62CE4E637A173 + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AEE3FF47EC9265AD2488CBB7CBA39C4DB8 + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB4523FDB40F634266120854C4F4C0AEE68C + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A297A0F1C6FAB0CB2560C057DB6FD78502 + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB780D1FFA522AC98F7EA8B08FC1E74F0E0 + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17738D9BB251F571D6849C2B5385D27686EA + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D24462437F045475EC25FC2A461C5B001D + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D474D04B672EBD51CE87E52C458902D14292 + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39AC8206234BD38D5E9AC3754EF16BFE251E + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04FEAD9B66297CDB20233010E5613297003 + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2D0935D83BE9748F77B66ADA18AC8EBE67 + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC7A0FDCBC8860E146453AEF0A0C9E5E54 + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52A221FAF61985A4C7C0068ADA0D01420D1 + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB213B2C715E23DB50D16E14524B265BEB + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D054DE6FE4B8164CFC24767619E24FC03A4 + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EEF0DE82DD53160B1CDF934F97BCCD0730 + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBB0C0178CD4D01ADD4E9D7D4CFA2F02B + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC2FF98E123609425A2F4D75BAB1D13C98 + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C7834320F7F4F6DFBB102888E819F6E84A1855 + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DE7B8D9021AEABD1547B8AFFE18124D3CC + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E6A9CF580FB0D102CDE0A6430849248701 + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39B50843E792688F2812C05B37C43BF5B6A + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D175601609BFBECFCAE77103E6933EB10F63E1453 + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA8D62EEE8E35A0E42DB5EF8C3D1E82EF9 + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = +CT = BC3DC5253B5E0FADF7C849769EAA8072E4663A05E3EEC29D764B0887 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308AA03BCC0BE816F11284D637F5D1AF725 + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001 +CT = E6968F13AECC548862F0577549AF58B48CB5280CE44EA044A986BE9C + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E81FE8F7AB8C9C6C8DDEA8D0F832B4DE5 + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BA34D80473EDF08303A120004FF304EEC9 + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C429E7B5D8A899B1EA68029A542567825A + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A2A04E71A06FAF269CEEA0FA4EFABED6 + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2D3B4D0912082526D9A6A80BF31322A59 + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44B4F0B9AA102E203945CC81CE4915928B + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB945139F114ADCF600029F265B2E4315123BB + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6D50DFFBCCF82158B9ADA7D600CB80F734 + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB4518F0939D866A064DCCFF103210C87E1452 + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266C76E6F4F679FAC64753455B67585D348 + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB77696FFB7484CAF25BE27494900354F04A9 + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A55434C70A9B039C0B65E9245AF420C45 + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D245B83089DFE800087BE11A5AE5625B610B + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454BD0192C514FDE78CE06FFB93CBA74FD9 + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5D95A555E7C522FA6FB52C9B66FA0D25F + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C033354E3510424A6E96F9548F4C6DB8 + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE57D3DF8172DD905D875C67570AF2BCA11 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9C7F40FA22B5D43132D93FFF43043316EA + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACF860A88B4CCFA629AACDBC5E2F39F66E3 + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB2439431D7D740F1216BE3085BF00CF6391 + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D0587BEAB4E85B44B9F3B2E9F141F496DB73E + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE8463E9121BDC88B7F9C46DBF7F57022698 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBCBDA17F3FC5C84DA45592622DEFC33F2B + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6859DE97DE9EAB5920E6237D882F9453AF + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED45D78C77C8216137DBE5D2E082D5052A + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDC63F7AA199883C673319305D13E8E0AD + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E6870C3FF04C2403728665F3EC73279C4DCE + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA3E050946D38A1BD57547351D6A70C0BCA + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FAB01DEE7F4F61394E7C7C64A3F54ABE1C + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F7CDCCEEE91BB77ECAFDE87E279122CCF + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = +CT = BC3DC5253B5E0FADF7C84976A3D6EBCAB9C89E1C8F06C9F54B43D4B158 + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00 +CT = A18A7E6DA2BDD06CE76BA30833673088A71AA58FD39F47D1EE58A54F1D + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001 +CT = E6968F13AECC548862F057750D5EF7E8F94CCAB8DAA2B92E01DAEF4106 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9BEBDCA0F7FA749722848B21AF414C81C7 + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAEC55ABE7A6D33FC9305ED6C2D6AA3EA87 + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48D85B68B9358EAB8F418E8F822158DA28E + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A170AA48DA66DBBE9766B616FAA95F3A24 + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2947BF1DCE8D5210279A16DFB79A99F65A3 + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E7F0E5F8FAC48DE006991987722C5F36C6 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DA0D13232312F5EAB6946F4D023A5790D2 + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB0F76A79B177F5B685ACA42C04C85FE688 + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183ACA5C0658BB5BCE42D1CA3215173498C2 + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD7B8DFBE7EBE31726909666A1726F8690 + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3E1D6E2C2D1906A7B7714DBFAF186EE12 + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A9605C22C05188DDE5C2BF2A9185CDA92FD + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457FC7118BD3A317A1942D8C447CD14791FB + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A325C8B639D322E584180BCE3E78A4D5B3 + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F4ED3B8D847EFFC253AC1E0C707624CCAA + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C061E4565B5FD0D0D8A4C3E47BDD62D8A4 + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6D77DEABB5B8A0F60252EDFB15F87AFE2 + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBDED5F27D98ED9466BD6F1A3AF98D8C792 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD819A67EDCCDEE5B32F4F4321177139B60 + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246C9BEA31AEE3BD96544C1EC241FDC41641 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D058713338CC27F30A1DC18D9760E9D4D7F37A4 + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27AF11AB848A634BE6CC7761A927BD166 + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F3AC49E66F183DF2A6D48726F69B64F19 + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894EA0EA0148C1C62327D8D61757A220D3D + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12055DF6483992B41465180AFD2AD7005C + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6FA667089A7429ACCA8FB75A069DE7ADF + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E68792204F6D96C9E4CD2DDB32D7985EAECF95 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA355A77B3463F65F44FDA913C9AE64FC6593 + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1BBF9E214AA8835C1F64348B06EE03C877 + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F162E84554D6C02CE0B6D6EAC7CAA0DA7F6 + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = +CT = BC3DC5253B5E0FADF7C84976A3526974C8BD16B8D6E244E01AE8114D5E03 + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C5BBA5AF946BE8C1B5E97C7ACF9D27909 + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = E6968F13AECC548862F057750D156E7CB84D217A03AF06AB07F6697A2DB4 + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B323DEA59E067BB49BF04DE82246B62DCF0 + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F3377BDB0227C62B0FF1431818DFD8546 + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2F1408EBD47305F060171D3849934656A + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B58F5BC31F3F2C9763E49762E8ADAF3AC + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F29445ADFCF3C0A7535990E450A4D04A3B520D + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E7454E977EDF5AD3211B2AD9E9F6139C6D34 + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5E767EF60DC99A6F9B34CEF2E94727B60 + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B0FF88847D25F771CC7C789DFCB740EF6 + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1EDEBF84D5383E8F0C7A2A234659888317 + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD494F6ADC0E0E1368B2A2DED0F84E67B889 + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C1E536F2061B3D5DB9199FAC5C1413160C + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE22C17391FEA92E7F3DD4B48D6F0E5450 + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A846D74BFD18BE2AD9A420DE93522D5C5 + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301B7F50501D2CE1E993C39A06910EBEBB2 + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F47576E2876D2AC2345984F5F294135D4329 + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C06498C72013A94D077E4D71318D72DBDBDB + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC31078EBBCB2E7C630BDECF4BDE45E1BD + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A108FEFE38BDF960A51A035CACD3B915E + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888F7CD7E73AA868D85F67E25DD16E3777F + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6406BA398880863FBBFE6E86BA89B8B83 + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303B1814AA14F4970A26F12F033E1E7E3B6 + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C8DD0765F39A5C235103203E05BBA6C62 + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2DB453A55603076CAB61AAF947D8F75F99 + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE0D0CF4B723752510F4F77FFFF9A8F7BD + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED1251623A00831A813231FF72F90CB41A8991 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CEDA29D64191E4DAB7166F7AD3DE9A6977 + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925980D45A9FC6939B53E223429454A838C4 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA355689600381788E9C8C8B41C8E46C0314326 + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3890707EC720782F13870615E18BD32A4C + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16ED7653661178DDB28C86C343724FBB0A1F + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = +CT = BC3DC5253B5E0FADF7C84976A352731F4A137F91C30B84056EC68AB3F3DD81 + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C285FC4CE4E4055477082819B3CD62D086B + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = E6968F13AECC548862F057750D151B09121999F6625B582166A1AF5A64A734 + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B324385443621059BEAC9BBC4F33DE2191448 + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D5DFED387219DF9FE963C609929C0DCAF + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2849B7236221B5A2263FB643114EECACF34 + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A6E08EA89E8A4DC9BAD239209A83245B6 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F294450482B422094F2F99130304A6669925FB1D + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E74542C0AFA4AED4B48BF66536853B6D183E50 + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5358D60F3772F9219EA2017460103E7B14A + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8F8FF7EF1E1C0BF73AD728988A3DD79DD3 + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33F341EC3D31B5D10771DB726B0ECEFD39 + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C9F027C9684C26526CF3EE799A49E1B15 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B20582CE288AC7A08CF989DAB8D3F1D8C + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9CD94BA6F761CF3908471D53CFF765DB4C + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A519BC376264E42E1374B41F81DA8AD8CF5 + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C67555224389D3CF71F9A42A852C0ACC97 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD36C00B0FF2F20E8CA09AF7E4225CBD0E + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F81544DC7625E2D56261DB662315096D75 + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4B19B9C993E2666F811604A2A283665E1D + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13A18C2E621F9EEEA146BF10FBEB11B9A3 + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0BB46B38B2EA17790CD99AFE17FA9063B + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D2443D6514FDC75ADABF5CF3885EB3D68D + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D0587130331FA6C12A5A2DA2259930122E772E6EADC + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57507B87769CB464DF1C61A31FC60E29B3 + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F7747CD9C9E16392985A4D6486F932400 + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2EBA4337D8B9FCA470F4F7F1A5A6387D22 + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517E8616C44EB5B08AC4E16C58DA6BF60E6D + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33BE559599918ABFE52D0B07FF376FBFEA + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E68792591090A922FBEBCF595D18D37E3C4762ED12 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC7F1C62A0B01E384F259F22060A38C376 + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857107B8D7A5359447DDD86A7B4F0BD9736 + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDCB48B0C176E9474A17CC8E3272AA57232 + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AA8D1F562938D64AC60045BB9D443E3F53 + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28725FB561610A11D6F9B1E31667AEF20412 + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D17627FD97297FA77D1BAB99511E50E3C + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B324333D9B429D0102B0A4D3E3AC53902B418C3 + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D482827D36A7CA1D085557182DD8A94490D + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AD58C87A87FEAF74074753B0A3C79453B + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A190A3389CAAB3B01BB238C53C347BDE767 + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F294450471B53C9CC863F97502B535AFE920FBDC5F + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420377865AA9E45D6C1798FA3DC4F06D8320 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B3E7295556CBE46A42E6089F3CCD32EA3 + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD1F708114145A04BDB1EAD28C5ACB50009 + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D1FC30E523EC7928D0173020BD3843AD16 + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47096300629B7F455391228526C46D202B + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2C680BCE66EF112D34BA2ADC1A82FB7FB1 + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1FA1D69D6D0BD57FA46A38FB7373D3C62B + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE0B5562210DB47654A47F7B95B6B868C8 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B82165825BEA939308CDFE00BBFC1D801 + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62776449343F9AB97670A9AC53F52CF781 + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80AA26A6E01578DECBD579612646A0FE23C + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB742B5076262EDFC0FFDA1FD1F29D0F59 + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E84D33D23D6F5C5EAD79252E0A237E6089 + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9F19E88E534B15D140D8529999F6EED46 + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D6092615E6AB47F8A62334F82BFBCA3FD + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C9C8192F877AE6270205AA8C63C298DA0 + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C5700A39374FE8CD09069EB2BCD9506029C1F + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A5720D4C09A904F31412CB65E42EF2C1A + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E53921351AA4E87B5653949F31C6B22090C + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA06A6B7A5BB31841DCD86011EE65BC120 + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF044987783A722B2689DF65674F6E7C3C + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910805B2596704E177D469E84FAA05B60CB67 + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C9D567100243C26E7917FA3EEDA2AE9E1 + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FF710570C0BCEAFA8A26ACABDEBD88872D + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86789DFEE4602528F4900096309F29CF1E + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7F76039828A87BB54ECE70F8400CA10A8 + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728B611E161F160130BABB39E778F8D9843A + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F656233F1334B94EB62471715B8A0A535 + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B3243331731574960721EB2772FD350E264C76D36 + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D481870BD2327DCC2FB4394EC6C94F2E2BD62 + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE54C9BC66C25F2D7D704C97312051A2C1A + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A037BC3EFA8E15F8DEFDB419178D0AB341 + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713ED80F0B8887A423CBAE93D963F335951D + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326652A4D96B996BAD6020FA9F79894A140 + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B336F543D2C70EBB00C57D6EF91E50E3F1A + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FF77AAC6BF004BD76AC7B52D8BB581BA8 + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192C59F4D28746A66F1889E7481400F5784 + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C51B645A0DF6D13FC400EE84A01F98288B + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF39DD4655845F3E5A378E7A78D233B9819 + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9DC9D4223F97F8C4C1E8EEE58ECD64DF83 + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4C6497B8BA626A58DF24CF2CB2021882DB + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B27B0B3D35F58FA30AD3DDA946393E5ED46 + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B21FFC04F7A691ABE5B299C7047432E182 + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A8076C2C267637EFB8576C5DBEACD9920E4 + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35380E71343B853A4B38876EEB6DE3C274 + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836314E86B6CD43F16A4B1247F2FDE02EB4 + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0C102DEE06E8B9762FA57D06AFF421C5B + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A9021CCBCECD85ECDA30DA5DB4220308F + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93AAC62243C336FFC20835EA1C8F8F667B + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CE00CB047F5A8A16D13EAC8E94FE14559 + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7F97CE087877E1037F7C14771796462CE1 + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391457422029BB8C78C8496BD6B194AA2C9 + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA768BA3157B2A58DC921281A24B993690C9 + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E7185E304EC22955C8AAA447EE745AB8F + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804FD2989D27F11AD69F6B9F40F7A31CDCD6 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C383D1E3145919BA62A722FD5067A7749D1 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD7C4762A7CB0FD89ACDD395095FC82E5E9 + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC8621E8CB51DBB397732BC5CCD451C235604E + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC71329ACF88C53F6BCB4DF3B170838514C6F + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADAD37AE0C3AAFCBEA113BF2A169C77F83 + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F03A732A1C1038661D91B4BBA7F14354512 + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B324333179132740B58C65E095AABE665FD0AD9F1D5 + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE25EE2B880D79AED8354DB091D6E67098 + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE573313A07A0558887219A6FD52F0274E93A + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D08BC81F2A2C2714C7C707062B32FB62B0 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E126E8847F596AD29FB41FD1B099B13350D + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F039EB248AA5BE7BFE17A899411B9B186D + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B3332F1090EF9396A651E64712C1DB746D788 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF2B653B3D8DF73B5125E67D10D9C1D655 + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8D2A879EC603979E61485ADC368760825 + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57E950ACCA29FC24E402A09B2621FCE5FF3 + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB7DC3CD273B816ABCA37667195B9EF38B + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6CA3CFC8ED364542FA19AB63CD146000FF + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B866FCDE033806A1458E703B06BBBB13 + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787199B1421C80164C475E2266A0C6E8CD0 + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246F4DC75BC4E6973099ED312A2AF4BFA4A + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BCB1FED0E7250831268EE1CE2544C7F810 + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F1A24531C4CB51F706AB9734795714E748 + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D650A5A8F8F6482946EDB846E66A6164E5 + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB77BD589D3ED4C9493E6CAFEDE4BF0AE0 + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72AA47750D527FCA9A6DA97AD15C34E072 + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C54482C4E5ACF7D5EA12F6EDCA172B83C5 + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6ADE54E6B0CC281FFF56FE4A91B77405A + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD08DF8FE01A6045A22E0034C54C7CB2CBC + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDCD4BBF29A991C7E98212BD88B44598BE + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76667B2BCE9558A37A9646512A2165E45EDD + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C3C3DDAFE1955B730341464FE5CB9C20F + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88038ACF941BE323FF1F428FB07CEB9B19 + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C3843620CE95206E49EE8315C296F6214BB6B + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70DEA5C22E139C05F2169CF7607AA712E49 + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212DD0BC63DD4C69097CF92FA0DCBBEBBCE6 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC71390698D48625E0709A2517577E802CAE0CB + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC16CD921E9A47863856AB07699AD94AFBF + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330043993278366E8E60DE981F03389F295 + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917657C1D5FEA21100380B34B4F031516528 + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE545CD7848150F3F75530B3FE7EBD2699DA + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733B959598E20831F8C01EA93435C97D9DE9 + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB085ECDEDA38227E399A54990D6ADE804 + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251B163705EB12D9B8A970E93D347A3EF05 + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F039DDB785F76FE659F4F19D613EF54EA6 + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B3332379C6775A77AEFA7C582DA33EB8B87C44A + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99DCAD8DBEDC07B4D8757B2256DB2A5794 + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3AF66972148CD843637CB47CE35D041BA + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA22238503540D2D6A0167B12DA49BEB4A + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB5045A08049B26D9A7A97CC96CBFD4FF810 + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C54E2E8A420BDBDD6FFE367781CFCBF961D + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B945150374743D36DEE28DCCC185BD9AE9 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE140FA0C38B69A5CB1E345EB550E7C743 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B2469947E32FD20353C2B56CE570CC4CD609DD + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9AED07B4B5E86A70AFC3F3BC53D450243C + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F13018C2B7872C7E033947456F0C353B1B18 + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D645EF879C35686306B508C8A86028B2E1DA + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19008C48C713BF2977A018AF81305B0C3C + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A7287BB9743A67FD0039BEB0918E4ACF28D9D + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5DFB1470DD7488153836435CBD85F3641 + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FBA5714DB31C9381BDFE4704FFC48A1087 + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06E57DC1036D418AECF6F0C79BD696FF36A + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAB493DEB09CD0EF81F213A1292C609632 + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E82DC23146D147A7906554D469E16C0CF + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C341253171B457B2EBBDBE3CE2AD2486064 + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88ED368E9C63E17BE89F73168971EC2D281F + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F333C4270DAC8FCF3480804CD58DADC84 + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A8C20E1B5208DB91771FE0767263E5B40 + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87CAB344A311BAB1EB75853AE4AB7B9DA2 + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC71390574C6AFA22F806258F0DBEB195A0AABC0C + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC153073EC16013BAF88FEAB2A215C9D927DF + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F033061DBC4895D6E86FEEF46B8529CC3DCE712 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B3243331791760515BC72A4629FC0781F249D8B1D08BA04 + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE54275653CBF8D7E8E07CC132C7C367CB5CFB + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7F681196829675E52ABA549F9535F4CA4 + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81FF9013D738F84B2559E4A0026EADB704 + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC7C6D722732CF8FBA05C9548C67D0E0A3 + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F057B9BC65F396AC428AFF6EA91CE9DB7A92 + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773DFCA2D6AAD24082A184A9A4030D755C0 + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF9994D0CC1C1D29981A71B990AA7D9F1EFE83 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD420EA4F8460B65E4B3A2897E8A5D6C61 + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA91FE3456B52102123FC88812B13A27170E + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F674B3C292B640918565EBB79D27E54E5 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490352A3FA6A6273DBE41152F930F35E1E2 + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F1C30416A4235B6FFA4FC2790F4899143 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE9909433F42B90B782C2F8181681D9CEB77 + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B24699497D69AD5A5579E7C6A03C4FD5FEFCE0D8 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57CCBEAC0C83ADD080749E41A31B949869 + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130EC665563EED29603EC56BDEBF85D0C9155 + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450B4210E844D199515C5088C133A5119B31 + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEFFA1CE29CD9C9732F8BAB7B62B474C71 + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E82EE709FC1F7E2C4E16B524425B0ABBF + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E1E40009EAC4A018D6A19ED8B4383514D2 + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B33C120D18329317DE54A14F93A3A7679 + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA94B9933AC0159F43FD3DB8C6D3C83F6A8 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9D781014E4CC444407FA94F0DDF4C24D4 + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2D315CA99A9BFDBEC6FE2EF414E67C561A + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B189A09FC170DF9526155E754A05FB0C1 + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC17D118282392A284B21677EEF0123D3DB + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F574D59D29C3697B25B77124C5CBB1FE1B3 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09736711A7E23D27B75E4108C3223CABB7 + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8789ECA54B73494EF83A4210343085636 + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8ADC4F484A24D673D16F2593936B34E3C + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535EC19B4F45B31E273838BBB2E420944620 + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F033061581F63F628090CEAEA7096B0B0FE34CB36 + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B675E6D951779700747247F022CE22409B + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E029F053001771782B3EECE0168F1E9BAB + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB72E6A37DE01FE5060D121A1E9F11E100 + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB8121BA22CBA3A94FD31DA854D1EC80FF1CCB + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC29F8D7025E943E93676454A7F47F112B44 + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774C416B86E1D16E0B749438907BAC22F74 + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D706A9D8EC60C8BA4FF71915FED63179F3 + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F52CEC0219D989CFE3411EB0ACCFF841A + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3B1ED779E6CF9BD616A8D1E4D9C2FAA23D + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA9193370FFC30CE4128400A55C930FCD17EFE + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C19E41163DB5F9FA16BEAA0AF9B595A28 + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C0359D41614B5B3345ECB65C708B4B8F9E + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F80A408EAC3C1D96FE4BA34AE8AD38A3E73 + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B8EC621E1A8BCDF8A51CC043DD2CA01F7 + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B2469949826B50B1815FCE6A3A1CF418A0B015A1A6 + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57EDFB5E3CE24DDBBAB5E603DE2801C46595 + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBCD20BA45E28A4EA6FED2B4F0A028187E0 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEDEF493A687AB2F8D6AA8D70EDC067E2F + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0BE12A988BD829B17B2DADC2E4517B945 + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E4351C5E3130C3AE001DB5DCA2A80F414EE + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C7BA6624E5F4255C7368A91ADC1889B64 + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B858FF1E606B0F266229B86BE2E99859A5A + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1E18D6C0239DC7CE03C205F43C5ABF079 + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6237528A1E1EAC7294C23AB1B5D0AE0A7 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2F44E397775891E38B340379D42B2BF07 + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0AD6CC3F3A151399552A9978BE250E9B53 + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F4904A8C964ABF71A309709AF2A3895CAF + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B47917A0E039935CF321349F241E23B4F + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0B730743176D4528A6B63204F72028459 + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F19CB5728F9942689EC3E6868CE4DAE9DA + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB0EE03613DA3F284EB5A0853418C08248 + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C95322EABC5EB0816C204F38FC9F93E5C + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F377DD8209B7BE41A5F1C5306D551BBE + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E0816BFDCE1F6408BAEB88E70E56E318CA + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390CDF024FEE298C63D699854FE3C29497 + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7DB0B17F739A6D34D2B55A43F16AED1732 + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D126CEC9D684A04CF308E7D4F882E66CA + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296E1F31B689B9ACCC19A62088070E41CA85 + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774ECA31EEF289C73A623165B63CC326ACD0F + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73CAC224A5BC71E2B4B58F8EDB2BC0CDC66 + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F29FC64881ABD70CA20A9A0667705499981 + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCA4DD6FC5BC83EA58E76E448E886801767 + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA9193570AE6C415D73C24DB9E842184236D3695 + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2EF7BF6BFAB14C9E18CF3943A010CA0187 + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C0349D3F8C0D7F1C4ED0CCA2C41E089A7A95 + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BFC96801BCA7B3D84A30960CA7A572CBA + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7A2FCF8BFC6C4254401D1FE1FDAD688B99 + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B56FE4847C39E87739125D3F22CBFEE944 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED863AC5D8CC775B8286B47B4F4A97CB2FC2 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0E62FAB1E65AE50536B371277C72D67F0A + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF9309DCF5762DACEF6227ABA80FD65D5AF + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA059CFED5C680DB1B09F5A21C1F2F0BBC34F + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E4318BF7AAE7933CBF6F74116AB6EFD0EB6C5 + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4706B4B728EDD6D6C4EE6BBD33245003EF + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85400D29698F9C97DB81EBF86428291B654D + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B1B085CAEA60A7347F454975D1321C7AF9 + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABE353D76B5F0A6199CDDD9D05EEEB6C08 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CC313A7D0D0517D889749603CAF80EE7F9 + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43845017D58A64D2BE7CF3CFF2EC55822B + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DC5977CD325569DF6EECC1DB2F40DBBD4 + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B51BD59069EA5F85A2C62FCF9277FE8AE76 + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C803AA11C81FDB637553ED36AFE73387A3 + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16B7EF9D8C6B55F123464958EC7667AE2F8 + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5C03AC828447EC38CC36BA34D81FD9BA7B + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C982076883D39E80DDE7CE81885E0B2F1D3 + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F50E1772F421867F1304242B8E509712D6 + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09E2A10C6FED18D0F42FA0945DCDAE2ECD3 + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390BBAC7CD65F5C472D53CCFA44FCAB44E0C + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D79508718F759E55933D5B22B4066105B6A + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1A823D5BB726D632FF7541965BBFD4963C + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA7397F23AB99BFED1FC2984C2A4A195A9 + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC4929318EE62E324FF79A4BCE481DA5757F + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C322E7B91D74CBA11DBCAEEBEA0DC89B767 + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F292776684D8AA51DF33CACFBCF86BDA04CDA + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD3699D1E652E5C2765E74CE115DB3B8A35 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F87BD33B16A26F8E30D194E22AB616067F + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2C82090BE8FDD8C1A15B3B04D65CA54D57 + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473B2F56C968556EE1654551A0E64082B86 + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDBB80FC455004649AF086FE62CD96B75AE + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADCCFD8E7FE848D2E938543732755DBEA2D + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E39D5357569C3B07BB57EF6467422101B4 + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED8686C353395609C506E4F9B8CE4D054634A0 + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC852BDB0803CA055FF92AA3659230C9102 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97EF53E35C26D9C83B8DCECA021F426109C + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591B1491E6D30DC5A789B63D02D35E85030D + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181E34F2AA8FB4FB89F87D5DD03FA7282FD5 + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C478434D518C787D4E63FFC185821EB9C89C7 + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B854074A3166F4D2E33CB255C92C7BDF7047518 + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B7D230A784A027EC725376E5466D70508 + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD16394351E7937BA57D055097DC491029F + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE68B0E5B9F902F69A76C10482B011CB811 + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E6E0F2F9B19A3346F7BC82E8EFE4875972 + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA9D4CCF8AB7866D306F0716527EA2127E + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166AD09D6188F6B5B47211E5780F37E6785 + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBE3F3F6ACE2C432EF3B4662553D88ECA + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BAB812E3503E904E6BCD82247D51DF73E64 + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC9106A8646BC9624BCF3466665ADFF2166 + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4DF6C0CB53611E5C3C2C14BCD4BE754CC + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F532567042A8FE6D41462D73D2E98987028B + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7C60D272401629FC887CAEA5581666A81 + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B40FB9974AFB3B900F22B24B471398DD16D + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794AD4A22219F17CD4C2F27BEF3322EF2B7B + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1A381F724687357645D967E44ADA71278 + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90FCA267F62B98132845E3ED4CB55FCFBF + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE11AB78ECE9B795420DB2009F3CA9D8B3 + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C2E27FCC6D167B386800D6DCCAC194ED1A + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D30A20691DF9D0B85500F66CA91486E36D + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39A8E01C296832B2D44F207D1C08DC33C48 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857A983EE7D0F1FBFAFE7987D70DFE1C3D1 + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CACAC18120047FBC3DDEE306A5668C4B36A + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D033BAA36998285BDDC66463DEBBE1508A + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB153DF18955436BAC69B87D6EE86EB1019E + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC22A67FE98BE3E14B0585857AA80B019086 + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DE268A19A9910770E49846DD034C991424 + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F3B131C66B27587182FD065EEF55A6D12 + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC2D21672C1104B276B3353EDF2428C9B0 + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493D00CC6EFC063252899603CACBA1CEAA + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBAEC98DC25AA31608AB22328D3ED2575AF + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA0F077783E8F8FAC983CC52781D6D0D55C + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4784641B9D7D75417213A0A1877268B0ED1B64 + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417D1F698C571F3FA81171685CAF62697BB + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B4954E2332386E073D2C4647D1733A644 + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD1165798229C753E449E055A864E405496E9 + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B430FB5B169D7F248DC913A064368EF8CB + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666F1F5364E4BD64C13379034DD68973489 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA12B32E74C3DCE9FF6FEC065BD64B6BA443 + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A789DEF7D6653B7A52F3ACF6BD79D293D6 + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF27B8829A1F2D269A1993F5D584EDCCE8 + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA768B7268DC31B38E24F9A09C335CF4DD5 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975284EFFF7AEAA5BD888F3A00D452D4DE9 + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A3AAAC0807F62FDBE0E6AFA81524223F6A + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320A5F63B428E55BD5072BCD96B1B524500C + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7841439FAAE938F79244DB6F7DC66A582DF + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B2C32D70CAAD6350FC6C783A7BF834ABA + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A5408DEED7AFABCB0C3A402305CBF20A547 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C18343141F8513518F1DABBBAE5286B136 + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CA130DB7F9C09D9A43BF9C3B9DEDA14D27 + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A120BB435E2D1FC0D85F1EB6E4AEB2962 + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C2629F25EBA1226FC8FBF23345E44524A9B0 + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F3C852176C4C47DA80941359558512ED60 + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF227E70081023024D8E58B5CD451F9D3C7 + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EED8C5E74C9A3BE0915948E4428D2600FE + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5B4F063D3FFA20BE72FB3DE668F25BF776 + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CEF2B4990EF5AB69F1109BA9C7657B040A + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583EC1268F4873BF1261476669D3466D023 + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC229129A04880C757FC1BDE5761F63309428C + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEB1846C57C0C15A492D10EFE59A8F70ECC + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C2415CED6E77F99245D2FCE317960993D + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC13DF16C00829CA922AF8568B7007DF7915 + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493AEDE783A9CB99C2384F4B9DD77A80A201 + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA63F9794F0A119539C34DFC160FEE2FA67D + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B9CDB0F5FF368E2BAADB32B2F0538BD32 + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C478464939F8BB14BF601EC51A31141D1FBEE56A1 + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F65CD60C4513BCEE96E3BCE5769F7293E6 + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B496E01C8DF7886CB522D1E084B71E8A2D1 + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD1161924839C3BC59AF38F04E84026EBC41005 + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DA2D99B2F3DE96312BF85A0B1DBD598357 + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A03530EB1899E393C4BB768A9512212A34 + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128C798CB19BF8A273626863B795B2642A8B + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D787A50BB07BCDE7D0CC6879319E29AB71 + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF1158B6DABE2A09414E1350BDEFF27A1865 + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708E9A9DD20D2ADDA6C9611E47DA4D88FA3 + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975E8D604902FDE5078DF7473C2FA7243ECFA + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A3727F651DAFC34E93CD1DC86F1E419FB7A5 + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320AE3FD9A5630B6FE30F0CE59B47DB3935044 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7848B4F3670CE83BC6F65D1B2A69A1D14D861 + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B234965CB58D637BAC48287F86693CDA089 + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A5460B056322355FC01B7C5F55716582F4A87 + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C18739603E10E32920B03FE4E17ABF57E0E2 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CADD16E02139C2930FD8D1D13EF54047A6CF + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A593564508BC6BB2AE44FD6D5F2C3170F17 + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C2623784C694F424ECC35B402F60E28A414D57 + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F35B0DDAE8B4BEFE9D74075951C31ED91C6A + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF25BE32D6552564875EAFEF3B8E36E908EF4 + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EE0DC09FBE583474C457E0E96257B7BFC6AC + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5BD942A4CAD924873D056FA6BAF4412C4B14 + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CE13F420CD8FC077A1A565CDD275BBEBBEC1 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583D100A3B39279FB90546010D584A480403B + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC229134FF7B6F75E0D0C8257DB6C3FB9EAE5241 + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEBA28CBB4193D9B69418C9BAEAAF46FBA022 + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C5C9B8E619D783FD95020995E671240A269 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC1335FAEB1667DA328C0B38595F927235CAA9 + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493ABCA49F2966C97ACDDDF8C8111773B76029 + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA634A823A7894BCD89BA428C3FE087E5E1DBA + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B5BD77237543601DD59335768E9AD24524B + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C478464934959738EDF3EE933B9325E182AEEF06266 + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F6E9D5DDFE1FE489EBDC2E413FF425D94820 + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B492C80A71C361B6F833747981DEEE65082D7 + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD11619E4B36BAF6A98359531DC6FEF47B204D369 + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DAADBAD0D9D74E4AD70596AD792BDE0BEA9C + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A0077D21F0789E495C6FDC3709B106CB7CB0 + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128CFBE3E45DD4EE3693BAA5616BAF8D4A3B09 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D7A73302029CA2BFB58784F808A5319CE86D + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF1102E1AFDE32765F121844EDFCF2BE673BB1 + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708C1972D7B4168762B0A1E627CDC671FA913 + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975E884BEDB380DE8C2625C4A326CE4FE77270F + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A372EED6836D2C92FAD9232A40EFD3C3144644 + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320AE361B7ED537B4E5ED4D9DEDF43749B0B57BD + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7848B17F2ACF3217CC56FA92BAC9E9D43005FF5 + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B234DCB684C7B1785596C9227FE04A991F07D + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A54604FBE8795FA5A2A89D38440DCBB7617D70F + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C187ACB1B02F60EE21E0400696C78D4315C2A5 + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CADD3C7E6BF6E34613660A1DA5E41DEFEB6508 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A59895C94879FF5F9C4F45850F7CE4C69B3C2 + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C26237858BCDCE3B5D0E93EAC93659E2DBE1FFB9 + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F35B46D9130A4C2934C2F224B16A672F34A9AF + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF25B72DB165F92A4376DE5C281A9DFD532B03C + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EE0D78FBB42803A3C78EFBC7877B2907DD8770 + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5BD97F8254A8F40F5AED4B2B61CC9D3D013384 + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CE13769B81FE0E1FA2013960431650C662FF7D + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583D1D4259128D44F46A44F06BD7BC00E4EA3F7 + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC22913473C3274F3F5677533868D5B9216644DDFF + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEBA2E1732122FA986C126BDB0F8CEFDCFA5C46 + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C5CC5C9366DF0E4E6332FE38272CF5C21B89E + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC13354985BA63A46BAA15082987EBA9DE73B311 + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493ABCDBADDD3BBD247CD131AE0D9188B83D867D + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA634AD3F33B35C99899021412B7863812D2452B + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B5B4CFD6696AECA67B6314B7DD19B4D991F6E + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4784649349AB4D111569DEDF2698DE80A1DC0EF345D0 + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F6E95D0D2AAA3022027AA5D45B9975A8E5818F + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B492CED9580B81C606A2A9023D5F526A78FFD55 + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD11619E40A995FC275056F3928A0A290DF10CA78D1 + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DAAD2BED31C11428CDBF22FED16EE85450B43C + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A00728226842BF64390362DDE928725715532A + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128CFBA2AB91ECD56C9EF66EE84F1D8AC9433307 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D7A7B655EBAE48ABF08974F558555004DE0363 + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF1102311AB10421E238F31F6356E420B0D45627 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708C1A078D10FB0ABBBC60F5C8988E91EDC7331 + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975E8840B9C657C78DA2AC5074CF22D28F13256EA + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A372EEAD71C927F2CDAACBFDDECD19CDCA38F528 + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320AE3616C81DF2CC4AC8B13A62F0E27EA2093765E + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7848B17BACC5F854B04699DE188104EFB36B8C36B + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B234DE7546F60D262CA89BE4145FA7439EB15ED + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A54604F5D56DC0DBDFC4D7C48C17A2F1D39FDFE5F + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C187AC180C0C34ADF8CF9C608617DF17D8F32D43 + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CADD3C54541634C3F48FBA04E0F68DE6F319688E + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A59894B0BB9D3630A98A18AD7430DBF8FCBA796 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C26237859591BADD9637C4D7BF2EF933F3F07B4F67 + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F35B464E6F4CEA10464AEA1DC78F285EFEC8B5AC + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF25B724EEC1CFA7976B97744844AE6DAE5D0301B + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EE0D7840FB773C0743421752422F4B3F541A966A + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5BD97F24B5CAD570846E14BA2421FB02B662ED64 + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CE13761A1B181C111FF998517A09BBBB428966C9 + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583D1D4F4D7B8A6D2427E1A9F3FFC053C26F33178 + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC2291347391020C4DE9E3B7DBCAAC2732587845523B + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEBA2E11BE6318F2049344BC5411D13F832C049EC + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C5CC50C241E78D0BD96B6FA90E04F1C3378B80B + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC1335493321FC5DA960A795563FD3FD87B0C3959D + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493ABCDB4B5B2605932F6933757D54C09D33A64283 + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA634AD32B9EDA15FAE8B388DDB2D2C98E7F57922F + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B5B4C0F22164603B05AE1A6658087DCD9EFD41D + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4784649349AB7A84BF0BD6287BB596E75A36910F047127 + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F6E95D616329C651552198264BBED00F8EBEF22B + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B492CEDD88200727A4F1BEB32AA6889EBA65E3D95 + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD11619E40A2315CDDE34EEA764A5DD07BE15C7B13F6A + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DAAD2BA8870CCD9A56728C7994F015B67FFF9B80 + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A00728E51BEF3F7EE7759A566539182D8DDE69BB + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128CFBA2D3866663BA10695524B7632BD852872808 + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D7A7B6326BA07DC8A1298075DC42EFB96169FD7F + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF110231D23FB73C10DE82991CE6E6CA67D2E7ECFF + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708C1A07D5E3585CD4D688ED1663A9E0138268DDD + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975E8840BB5FF9F8C965CB1C4F43BB4269BF88EB797 + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A372EEADFE1266DF5297BFC1BC28FFC0338773FAB5 + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320AE3616C464779BAA62B73AB38D478FFB41A8E3F94 + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7848B17BA21B3361E3F0F414C9725ABECF909789FA6 + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B234DE7F36F3DA859F023129240F79DF07D331E76 + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A54604F5DB32F5F69CE1AAF3D5788378E58B8A41380 + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C187AC187CEED149047C72EA138A43E5BCE482ED6A + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CADD3C54E1A6235A2D86BBDBA1E324F6BB186B6C9C + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A59894B68DE5BB87A24579B5F105A755C9BB0F56B + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C2623785950A33E481AAA6AD7D4E076A4519249725D5 + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F35B464EE0823D9BC2ED50BD12BB614BD43CB5E6E8 + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF25B724E152A584DF4ECB9AD6F40D3C26F3E068964 + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EE0D784079261F99D7B43C0AB716BB4A6C66E02C12 + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5BD97F2445CD2830B1C31E7336FD307CD98CC2CF15 + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CE13761A8F4AE0A936F22870A3FA1871A528AF2D84 + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583D1D4F44A734554EEA60DFC0CBB52196B5D47F66F + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC2291347391F80EB2311392EBE92AB84A8265515D8280 + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEBA2E11BEC7F194E64578E6368F70420049689B800 + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C5CC50C8327FFBFB8428AB29054F801FA176F3124 + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC13354933CEDECD001B3B1857AF90398ECD44B21F81 + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493ABCDB4B71AF8D2AC73B3D158D887990313D622028 + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA634AD32B1FE66DF2C836800FC12CF7B28F3B9F6C49 + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B5B4C0F90647F9ACE6B777EC29E23CE6829B58DAB + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4784649349AB7A4483AB007F6B4F5094BA93293B011686E3 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F6E95D6172826F9AEC1F5598D3D2CAD96CB154B3F4 + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B492CEDD8FEBA502D26E657080B207955CC21E8F01F + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD11619E40A23CAAFEBA658A2D99B3DECB9A73564DDAB9A + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DAAD2BA81336820EDB883A859592A83035C4B171C9 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A00728E57FCF0D86C9E43DBD16D711D36E4E0C1511 + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128CFBA2D3F2F66473A59AB2356DF626B6A0524F4175 + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D7A7B6321CFDC82A239D199A25115956E2D8A1AEAF + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF110231D23D7B6009960F77EFA5A2E1CEA703ABF8E0 + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708C1A07D2674EA3A525262B8657EFDA9E7AFE1273D + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975E8840BB5BFF9474422644E1832DD026F3F17144F27 + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A372EEADFE70A8CD2DA59E69D4880A68537AB20D8ABD + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320AE3616C465049D45102120B51BF2169BE7306517FE0 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7848B17BA218AC7FBD0C75394275E4BEE4C4004D3B492 + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B234DE7F32729EC34E57CBCE0A3A7DACC0574B2280E + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A54604F5DB3B4408C029769D18FBCF2E56A64A4BB5A4A + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C187AC187C3D6500672797D371FD10B8EA38F7096191 + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CADD3C54E16FE8B47C1BB1D28DA5ABA706DA9A2F8231 + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A59894B68381BA6A962B1BD3E699DBEE3D6DE480125 + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C2623785950A3E30C9C54020EAB3B06A26CBC488FC2F56 + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F35B464EE0A13C6F98AF0DC240B3029A16597CCF9F96 + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF25B724E151EF320371BD14292C4555773B13D143AF1 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EE0D784079EEC1751F9FAA9161C89C83A36572EE6391 + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5BD97F2445B47DAF094114629BF5A1447F723837DCEF + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CE13761A8F51E935F2A2CF77AD3FE578B7543D18F8F2 + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583D1D4F44A66E80D927F0302ED86DF1071481655D8CB + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC2291347391F86B12D0CD2BAAE2428FF0B2743BAD52D9E6 + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEBA2E11BEC3AE8768520872AF0C009973D4613B3B1C1 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C5CC50C8353D64CC0C544108675FEBD8C25A83EB090 + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC13354933CEE160085E1717F9C315A390E747E4BF9CB6 + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493ABCDB4B71EEBA3154D1287D4C2F5B5AF1023B0B48CB + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA634AD32B1FA7CBC91FD9A71ECE683C6E767FA3A80DF8 + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B5B4C0F9041B815DA8385C443BC8DF4D674157EBD4D + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4784649349AB7A446A45493128E4965E59F8CFA828EC0F7622 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F6E95D61726B299D4934B43E7549F5E5441DDEFC033C + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B492CEDD8FE29DE4B59E92F5EA8FBF76D440243F2F527 + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD11619E40A23CA70A63FB72E433A1226135E660F454FF6CE + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DAAD2BA813830BC79E81F31CD3B5FE1701299CEDB9E1 + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A00728E57F8B5E6D4BC9A5EEBF294DC9948E25CC68D3 + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128CFBA2D3F2D1F41EAE40777DDA52BD1A424415CDCFB1 + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D7A7B6321C80D64CDEEEEC8AEACB104B78FBE3C901D2 + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF110231D23DE5408552816F74AD9167F9EF46C2D9A74A + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708C1A07D26BE2B8C0234B68169784BC2A6246EE9DB43 + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975E8840BB5BFAC32F070038866B3A4378182C949EB0EBA + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A372EEADFE70017B36D439338C10702EB35E4E75758328 + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320AE3616C4650E99D20A151DDA215EB252EB8E1924580C4 + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7848B17BA218AB75264BBDCB52C360BD73A0A2CF89FD71D + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B234DE7F32735921403D868518F5845181F88EB923001 + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A54604F5DB3B491B19B64EC17F8F24553316753D2EDB021 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C187AC187C3D0AE0BE814BBF2B78BA731EE7E220B10D15 + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CADD3C54E16F5537807BCA66CDF78355F5A6EB0CFCFDCB + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A59894B6838F74CAC1A823297B564E7B6A15871F0C24C + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C2623785950A3E968C9562C3E2EDEE8AEAC5FA848A2AE579 + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F35B464EE0A1C8043188CB182A5B7913FD76E3F774336E + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF25B724E151E5424B675B6538EC0D2D7C4C83D06B4FCF8 + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EE0D784079EEA7960247170F568F865B1306D0AA724775 + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5BD97F2445B4C93663B3756EA033671BB76CC6226A871C + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CE13761A8F510FAC80CF47DD3FB5F6CC8ADB290D9779AD + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583D1D4F44A668D09E6E584FA44C1A6F835707DE7E23F67 + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC2291347391F86BAFF1720D7C4F66EB1A0437FB315CDFE542 + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEBA2E11BEC3A0843B6884393B37DC78E41E25127890FEE + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C5CC50C83539ACA7464A1E2F037CC0C4EEFE0E0C85A3F + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC13354933CEE1A8CF889BEE721D6D0C47373641E91564EA + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493ABCDB4B71EE7F490A2C69414B918D14A5A6FB3045016F + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA634AD32B1FA72DBAF251535D48E8989F834B09BC2C10D5 + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B5B4C0F9041A97986A694919E628BF43E2492F8A87A46 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4784649349AB7A446A35BC6BE71FF4B38E75F60A6F4820433B48 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F6E95D61726BE652BF388F7C44C9F0DB8F6A853AFAFA08 + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B492CEDD8FE29A01520648056643484AABB6D78B90AA9D9 + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD11619E40A23CA7053C802134A77D8FD4579A49B84E5842D33 + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DAAD2BA81383CA4C6F7C0EA281476B27158512D0D0ACF0 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A00728E57F8B1FE2914BAFB6D576AB414D501437A053E2 + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128CFBA2D3F2D1B35D283106D381741DBC05CAEB23AA7152 + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D7A7B6321C809D86E9638CD6DAA4F6A49A89C76A462A1B + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF110231D23DE5614A6F2FB642321927B16C20233E817F18 + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708C1A07D26BEE4F2FC3CF6071386713C54FD4EE2130656 + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = BC3DC5253B5E0FADF7C84976A35273AAC7139057F8CB5CC975E8840BB5BFACD9940720C595556E21B2C4CA3C46D27222 + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = A18A7E6DA2BDD06CE76BA308333C28728BADC1535E5C98D4A372EEADFE7001CAB01E850A8F62CFADC6B129E7D7713690 + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = E6968F13AECC548862F057750D151B7D4F0330615892F5320AE3616C4650E9DFE7C001A8C5809692C33FCEDF3B38D68A + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = C7119EB3EEFDF16A8A9CFD7E9B32433317917605B6E09EE7848B17BA218AB77819D40CA11446ED9D8A453AF2072F2E42 + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = 59F8F267DF3AFF7464D413BAAE7F0D4818AE5427E0390B406B234DE7F327350E48EDB1EECB9B6D54EFE8FF3309158F99 + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = 07C91CFB99C362153D3C45C48DE2844AE5733BC7FB7D794A54604F5DB3B491F9717D3EE3B6BA95E04CBBFB2029574880 + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = 59364B8EBFDDE3E4C93CB500A13B8A19A0D0AB81218D1AD1C187AC187C3D0A264F86F166A8C9826032CC1B16B698C34B + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = 2ABB7B3DBF9DDC6D955E90F2944504713E1251DC296EBA90CADD3C54E16F55C06414E1DFFA3B7A59878BF2173E7BFF50 + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = 3FD7897D5A51C0CF58C81D44E745420326F0F05774EC49BE0A59894B6838F70B23546C9718A3E73DB771292AEFA8557C + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = C2541014DEEDFD1A8FAB9451DAA5350B33323773D73C32C2623785950A3E9640DEF52B9D530F59A6CCC8D0F8820508A3 + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = 0334A6C789250759D8F7AE6DB01B8FD15FAF99941F2927D3F35B464EE0A1C879AFA693F554493A9EC7E3483D4462DB39 + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = F86B45F4A76A4391A7CB45183A1E33D192B8F3DD3BCAD39AF25B724E151E546BF8BB964C6A63F2AA15C04A5D527176B0 + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = D3F144B4B1B9CFBD5508A266AD498C47C57EBA919357F857EE0D784079EEA7BE38E6330A171421E73FB7F8F32EA9200E + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = 1D94EE87B6304D515D2BB776A3C15B2CF3DB500F5C2E2CAC5BD97F2445B4C94B992FBD0156CA455C38DFF2581D25C1DF + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = AFCCAD252871F4451A17736A96FE9C1F9D6C5490C03473D0CE13761A8F510F7D08FA8A0ACBBAA07B6C0F3241703DD9F6 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = 2931FB866DDA155A13D1D2457F8A51EE4CE1B95F808BDB1583D1D4F44A668D77C490B95BCEC50DA69F1D3A5F40CE612A + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = 232A3DE7073D04E750D47454A301C60B2787EE992B7ADC2291347391F86BAF7B6F123BBD60BEBE20D12CDAFBA102FDE3 + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 89DC93DD5BF35C006E39ACD5F475BD62B246994982B5E3DEEBA2E11BEC3A08E2E9A859B170E537552964A6BE6BFF9542 + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 0798661F522ED61FBDC04F38C064F80A80BC9A57ED86862F5C5CC50C83539A9C5CF5363AB70FA84B2DF026269DD8B5B7 + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 5C49F1D1491CC350ED9D2DE5C6DC4BEB35F130ECBC0EC8DC13354933CEE1A8C1D4A48F7047FEBB69EFE87D4CAFB010E7 + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = F8A79B4D12759EFCDF9CAC9CBD6A13E836D6450BAEF97E493ABCDB4B71EE7F57FCCAEBC6E52ADAC2DE575755547B3D22 + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B466E4D104BB257C84B52ACFD888D0C9D0AB19AEA0591BBA634AD32B1FA72D2D53E3F7F4F15506F3541A553930ADB9F4 + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0E927366B157392FBF12EB246CE6D27D0A72873E43181EA09B5B4C0F9041A960CB8D75EAD9060B923BEBB34C7485D127 + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = A80DB0DBE1B66779109D05871303311C93C5B5E18C4784649349AB7A446A351B8C6D493377D6E47385B32D1B19E811E8 + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = D6A60860E53FDE2F4558EE84E27C57006CA6FB8B85407417F6E95D61726BE66A4282876239D91D8E29BA5390A542CD0F + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 48E2CF82820D703E8426FCBC7F2D9F4A7FD06EA9C1B13B0B492CEDD8FE29A0F29604F7D14F8DCE2470855A4AD3F673A5 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = A3E12C5EAF828E7FF680FC6894BE2E5391FDAAF9A6ABD11619E40A23CA7053DFAFC1B8C5CD03CA4843660234514993F8 + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 79C7DEC6E94EE8C2C78343ED12517EFA76668E2DA2CCE6B4DAAD2BA81383CA2866DC161DF382EF8012606EBCE155371F + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 542547DE8D6E5A96B095DEDDE6CE33CF8E9C343B0A43E666A00728E57F8B1FB7877AA6627AF664B163063793932A9C7C + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2473EF42E0B5FABFD721E687925910804F88EDC1F44DCA128CFBA2D3F2D1B39CF8517F7882303A65C79053B1FA56D66B + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C348625512CE8629A2C39BA35568EC2C38434F571B5166A7D7A7B6321C809DF7F6B6AB213BBB39F1139857C4E76203E8 + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B13379F891E73D17560160FA1B3857FFD70D4A09D0C8DFBF110231D23DE561DB50D67A92663675960EEB935F331CE9D2 + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = F43FAD8EE40C3BA66E7CFA3F16EDDC86212D87B8F16BABA708C1A07D26BEE478D0530C9553823B4733F364213949657A + diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/config.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/config.h new file mode 100644 index 0000000..6d19c18 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/endian.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/forceinline.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/round.h new file mode 100644 index 0000000..772d7f2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/round.h @@ -0,0 +1,46 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint64_t C) { + state_t t; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; + /* linear layer */ + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/architectures b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/config.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/config.h new file mode 100644 index 0000000..6d19c18 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/endian.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/round.h new file mode 100644 index 0000000..a52ca55 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/round.h @@ -0,0 +1,229 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/architectures b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/config.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/config.h new file mode 100644 index 0000000..530c3ad --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/round.h new file mode 100644 index 0000000..76679e7 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/round.h @@ -0,0 +1,325 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "ldrb %[tmp2], [%[tmp1], #0]\n\t" + "push {%[tmp0]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" + "ldrb %[tmp2], [%[tmp1], #1]\n\t" + "add %[tmp1], %[tmp1], #2\n\t" + "movs %[tmp0], %[x2_h]\n\t" + "push {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "pop {%[tmp1]}\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "pop {%[tmp0]}\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + "cmp %[tmp1], %[tmp0]\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "+l"(E), [ tmp2 ] "=l"(tmp1) + : + :); + printstate(" round output", s); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp1], %[C_e]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "movs %[x0_l], %[C_o]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C_e ] "ri"((uint32_t)C), [ C_o ] "ri"((uint32_t)(C >> 32)) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv6m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/architectures b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/config.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/config.h new file mode 100644 index 0000000..4338d29 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/config.h new file mode 100644 index 0000000..b6ab257 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_armv7m_small/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/config.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/config.h new file mode 100644 index 0000000..08d2df0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/endian.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/forceinline.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/round.h new file mode 100644 index 0000000..2b8d9f1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + /* linear layer */ + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowreg/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/config.h new file mode 100644 index 0000000..b6ab257 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/round.h new file mode 100644 index 0000000..2b8d9f1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + /* linear layer */ + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/bi32_lowsize/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/api.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/ascon.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/ascon.h new file mode 100644 index 0000000..78a7c27 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/ascon.h @@ -0,0 +1,10 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +typedef struct { + uint64_t x[5]; +} state_t; + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/constants.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/constants.h new file mode 100644 index 0000000..928d252 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/constants.h @@ -0,0 +1,81 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/encrypt.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/encrypt.c new file mode 100644 index 0000000..d911703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/encrypt.c @@ -0,0 +1,180 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" +#include "word.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + + /* load key and nonce */ + const uint64_t K0 = LOADBYTES(k, 8); + const uint64_t K1 = LOADBYTES(k + 8, 8); + const uint64_t N0 = LOADBYTES(npub, 8); + const uint64_t N1 = LOADBYTES(npub + 8, 8); + + /* initialize */ + state_t s; + s.x[0] = ASCON_128_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); + + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_128_RATE) { + s.x[0] ^= LOADBYTES(ad, 8); + printstate("absorb adata", &s); + P6(&s); + ad += ASCON_128_RATE; + adlen -= ASCON_128_RATE; + } + /* final associated data block */ + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + printstate("pad adata", &s); + P6(&s); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + + /* full plaintext blocks */ + while (mlen >= ASCON_128_RATE) { + s.x[0] ^= LOADBYTES(m, 8); + STOREBYTES(c, s.x[0], 8); + printstate("absorb plaintext", &s); + P6(&s); + m += ASCON_128_RATE; + c += ASCON_128_RATE; + mlen -= ASCON_128_RATE; + } + /* final plaintext block */ + s.x[0] ^= LOADBYTES(m, mlen); + STOREBYTES(c, s.x[0], mlen); + s.x[0] ^= PAD(mlen); + c += mlen; + printstate("pad plaintext", &s); + + /* finalize */ + s.x[1] ^= K0; + s.x[2] ^= K1; + printstate("final 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); + + /* set tag */ + STOREBYTES(c, s.x[3], 8); + STOREBYTES(c + 8, s.x[4], 8); + + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + + if (clen < CRYPTO_ABYTES) return -1; + + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + + /* load key and nonce */ + const uint64_t K0 = LOADBYTES(k, 8); + const uint64_t K1 = LOADBYTES(k + 8, 8); + const uint64_t N0 = LOADBYTES(npub, 8); + const uint64_t N1 = LOADBYTES(npub + 8, 8); + + /* initialize */ + state_t s; + s.x[0] = ASCON_128_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); + + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_128_RATE) { + s.x[0] ^= LOADBYTES(ad, 8); + printstate("absorb adata", &s); + P6(&s); + ad += ASCON_128_RATE; + adlen -= ASCON_128_RATE; + } + /* final associated data block */ + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + printstate("pad adata", &s); + P6(&s); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + + /* full ciphertext blocks */ + clen -= CRYPTO_ABYTES; + while (clen >= ASCON_128_RATE) { + uint64_t c0 = LOADBYTES(c, 8); + STOREBYTES(m, s.x[0] ^ c0, 8); + s.x[0] = c0; + printstate("insert ciphertext", &s); + P6(&s); + m += ASCON_128_RATE; + c += ASCON_128_RATE; + clen -= ASCON_128_RATE; + } + /* final ciphertext block */ + uint64_t c0 = LOADBYTES(c, clen); + STOREBYTES(m, s.x[0] ^ c0, clen); + s.x[0] = CLEARBYTES(s.x[0], clen); + s.x[0] |= c0; + s.x[0] ^= PAD(clen); + c += clen; + printstate("pad ciphertext", &s); + + /* finalize */ + s.x[1] ^= K0; + s.x[2] ^= K1; + printstate("final 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); + + /* set tag */ + uint8_t t[16]; + STOREBYTES(t, s.x[3], 8); + STOREBYTES(t + 8, s.x[4], 8); + + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= c[i] ^ t[i]; + result = (((result - 1) >> 8) & 1) - 1; + + return result; +} diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constindex b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/implementors b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/permutations.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/permutations.h new file mode 100644 index 0000000..2a5d923 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/permutations.h @@ -0,0 +1,46 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "ascon.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +static inline void P12(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +static inline void P8(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +static inline void P6(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.c b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/round.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/round.h new file mode 100644 index 0000000..3653746 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/round.h @@ -0,0 +1,50 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +static inline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +static inline uint64_t ROR(uint64_t x, int n) { + uint32_t al = (uint32_t)x; + uint32_t ah = x >> 32; + uint32_t bl, bh; + bl = (n % 2) ? ROR32(ah, (n - 1) / 2) : ROR32(al, n / 2); + bh = (n % 2) ? ROR32(al, (n + 1) / 2) : ROR32(ah, n / 2); + return (uint64_t)bh << 32 | bl; +} + +static inline void ROUND(state_t* s, uint64_t C) { + state_t t; + /* addition of round constant */ + s->x[2] ^= C; + /* printstate(" round constant", s); */ + /* substitution layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + /* start of keccak s-box */ + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + /* end of keccak s-box */ + t.x[1] ^= t.x[0]; + t.x[0] ^= t.x[4]; + t.x[3] ^= t.x[2]; + t.x[2] = ~t.x[2]; + /* printstate(" substitution layer", &t); */ + /* linear diffusion layer */ + s->x[0] = t.x[0] ^ ROR(t.x[0], 19) ^ ROR(t.x[0], 28); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61) ^ ROR(t.x[1], 39); + s->x[2] = t.x[2] ^ ROR(t.x[2], 1) ^ ROR(t.x[2], 6); + s->x[3] = t.x[3] ^ ROR(t.x[3], 10) ^ ROR(t.x[3], 17); + s->x[4] = t.x[4] ^ ROR(t.x[4], 7) ^ ROR(t.x[4], 41); + printstate(" round output", s); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/word.h b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/word.h new file mode 100644 index 0000000..3157950 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128bi32v12/ref/word.h @@ -0,0 +1,36 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +typedef uint64_t uint64_t; + +/* get byte from 64-bit Ascon word */ +#define GETBYTE(x, i) ((uint8_t)((uint64_t)(x) >> (56 - 8 * (i)))) + +/* set byte in 64-bit Ascon word */ +#define SETBYTE(b, i) ((uint64_t)(b) << (56 - 8 * (i))) + +/* set padding byte in 64-bit Ascon word */ +#define PAD(i) SETBYTE(0x80, i) + +/* load bytes into 64-bit Ascon word */ +static inline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + for (int i = 0; i < n; ++i) x |= SETBYTE(bytes[i], i); + return x; +} + +/* store bytes from 64-bit Ascon word */ +static inline void STOREBYTES(uint8_t* bytes, uint64_t x, int n) { + for (int i = 0; i < n; ++i) bytes[i] = GETBYTE(x, i); +} + +/* clear bytes in 64-bit Ascon word */ +static inline uint64_t CLEARBYTES(uint64_t x, int n) { + for (int i = 0; i < n; ++i) x &= ~SETBYTE(0xff, i); + return x; +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/api.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/architectures b/ascon/Implementations/crypto_aead/ascon128v12/armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/config.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/config.h new file mode 100644 index 0000000..99d7b54 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/implementors b/ascon/Implementations/crypto_aead/ascon128v12/armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/round.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/round.h new file mode 100644 index 0000000..cdc6a38 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/round.h @@ -0,0 +1,283 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6/word.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/round.h new file mode 100644 index 0000000..cdc6a38 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/round.h @@ -0,0 +1,283 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/api.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/architectures b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/config.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/config.h new file mode 100644 index 0000000..0ac7395 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/implementors b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/round.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/round.h new file mode 100644 index 0000000..92b9712 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/round.h @@ -0,0 +1,347 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "push {%[tmp1]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "pop {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + "sub %[tmp1], %[tmp1], #15\n\t" + "cmp %[tmp1], #60\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "=l"(tmp0), [ tmp2 ] "=l"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp0], %[C]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C ] "ri"(C) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m/word.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/round.h new file mode 100644 index 0000000..92b9712 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/round.h @@ -0,0 +1,347 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "push {%[tmp1]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "pop {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + "sub %[tmp1], %[tmp1], #15\n\t" + "cmp %[tmp1], #60\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "=l"(tmp0), [ tmp2 ] "=l"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp0], %[C]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C ] "ri"(C) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv6m_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/api.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/architectures b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/config.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/config.h new file mode 100644 index 0000000..99d7b54 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/implementors b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/round.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m/word.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/armv7m_small/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/api.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.S b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.S new file mode 100644 index 0000000..36c8d74 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.S @@ -0,0 +1,530 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128 +#define RATE 8 +#define PA_ROUNDS 12 +#define PA_START_ROUND ascon_start_round_a +#define PB_ROUNDS 6 +#define PB_START_ROUND ascon_start_round_b +#define IVe 0x8220000 +#define IVo 0x80210000 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xor \t0, \x1, \x2 + orn \x4, \x3, \x4 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + andn \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear_odd_odd de, do, se, so, r0, r1, t0, t1 + rori \t0, \so, ((\r0 - \r1) / 2) + rori \t1, \se, ((\r0 - \r1) / 2) + xor \t0, \t0, \so + xor \t1, \t1, \se + rori \t0, \t0, ((\r1 - 1) / 2) + rori \t1, \t1, ((\r1 + 1) / 2) + xor \de, \se, \t0 + xor \do, \so, \t1 +.endm + +.macro linear_odd_even de, do, se, so, r0, r1, t0, t1 + .if (\r0 > 1) + rori \t0, \so, ((\r0 - 1) / 2) + xor \t0, \t0, \se + .else + xor \t0, \so, \se + .endif + rori \t1, \se, ((\r0 + 1) / 2) + xor \t1, \t1, \so + rori \se, \se, (\r1 / 2) + rori \so, \so, (\r1 / 2) + xor \de, \se, \t0 + xor \do, \so, \t1 +.endm + +.macro linear de, do, se, so, r0, r1, t0, t1 + .if (\r0 < \r1) + linear \de, \do, \se, \so, \r1, \r0, \t0, \t1 + .elseif ((\r0 % 2) == 0) + linear_odd_even \de, \do, \se, \so, \r1, \r0, \t0, \t1 + .elseif ((\r1 % 2) == 0) + linear_odd_even \de, \do, \se, \so, \r0, \r1, \t0, \t1 + .else + linear_odd_odd \de, \do, \se, \so, \r0, \r1, \t0, \t1 + .endif +.endm + +.section .data +.align 2 +.global ascon_round_constants +.type ascon_round_constants,@object +ascon_round_constants: +ascon_start_round_a: + .byte 0xc, 0xc + .byte 0x9, 0xc + .byte 0xc, 0x9 + .byte 0x9, 0x9 + .byte 0x6, 0xc + .byte 0x3, 0xc +ascon_start_round_b: + .byte 0x6, 0x9 + .byte 0x3, 0x9 + .byte 0xc, 0x6 + .byte 0x9, 0x6 + .byte 0xc, 0x3 + .byte 0x9, 0x3 + .byte 0x0 + +.section .text +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant ptr in t1 + # temporaries in t3, t4, t5 + # link register in t0 + j .LPloopcond +.LPloop: + # round constant + xor x2l, x2l, t2 + lbu t2, 1(t1) + xor x2h, x2h, t2 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, 19, 28, x0l, x0h + linear x2l, x2h, x4l, x4h, 1, 6, x2l, x2h + linear x4l, x4h, x1l, x1h, 7, 41, x4l, x4h + linear x1l, x1h, x3l, x3h, 61, 39, x1l, x1h + linear x3l, x3h, t0l, t0h, 10, 17, x3l, x3h + + # condition + addi t1, t1, 2 +.LPloopcond: + lbu t2, 0(t1) + bne t2, zero, .LPloop + +.LPend: + jalr zero, 0(t0) + +.macro to_bi32_rev8 de, do, xl, xh, t0 + rev8 \t0, \xl + rev8 \do, \xh + unzip \t0, \t0 + unzip \do, \do + pack \de, \t0, \do + packu \do, \t0, \do +.endm + +.macro from_bi32_rev8 dl, dh, xe, xo, t0 + pack \t0, \xe, \xo + packu \dh, \xe, \xo + zip \dl, \t0 + zip \dh, \dh + rev8 \dl, \dl + rev8 \dh, \dh +.endm + +.align 4 +.globl ascon_to_bi32_rev8 +.type ascon_to_bi32_rev8,@function +ascon_to_bi32_rev8: + # ascon bytereverse and bi32 one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + to_bi32_rev8 t1l, t1h, t1l, t1h, t1 +.align 4 +.globl ascon_to_bi32_rev8_half +.type ascon_to_bi32_rev8_half,@function +ascon_to_bi32_rev8_half: + to_bi32_rev8 t0l, t0h, t0l, t0h, t1 + jalr zero, 0(t0) + +.align 4 +.globl ascon_from_bi32_rev8 +.type ascon_from_bi32_rev8,@function +ascon_from_bi32_rev8: + # ascon bytereverse and inverse bi32 one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + from_bi32_rev8 t1l, t1h, t1l, t1h, t1 +.align 4 +.globl ascon_from_bi32_rev8_half +.type ascon_from_bi32_rev8_half,@function +ascon_from_bi32_rev8_half: + from_bi32_rev8 t0l, t0h, t0l, t0h, t1 + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + jal t0, ascon_to_bi32_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + from_bi32_rev8 t0, t1, x0l, x0h, t2 + sw t1, 0(optr) + sw t0, 4(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + +.LDpermute: + la t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_to_bi32_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + jal t0, ascon_from_bi32_rev8_half + sw t0h, 0(sp) + sw t0l, 4(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_to_bi32_rev8_half + mv x0h, t0h + mv x0l, t0l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1, t2, t3 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + sub \t2, zero, \t1 + srl \x1, \x1, \t1 + sll \t3, \x2, \t2 + or \x1, \x1, \t3 + srl \x2, \x2, \t1 + sll \t3, \x3, \t2 + or \x2, \x2, \t3 + srl \x3, \x3, \t1 + sll \t3, \x4, \t2 + or \x3, \x3, \t3 + srl \x4, \x4, \t1 + sll \t3, \t0, \t2 + or \x4, \x4, \t3 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_to_bi32_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_to_bi32_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVo + li x0l, IVe + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + la t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + la t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x1h, x1h, k0h + xor x1l, x1l, k0l + xor x2h, x2h, k1h + xor x2l, x2l, k1l + + la t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1, t2, k0h + jal t0, ascon_to_bi32_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_from_bi32_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/decrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/implementors b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_bi32_rv32b/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/api.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.S b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.S new file mode 100644 index 0000000..009638e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.S @@ -0,0 +1,508 @@ +#include +#include "api.h" + +## REGISTER ALLOCATION +#define t0h a4 +#define t0l a5 +#define x0h a6 +#define x0l a7 +#define x1h a8 +#define x1l a9 +#define x2h a10 +#define x2l a11 +#define x3h a12 +#define x3l a13 +#define x4h a14 +#define x4l a15 +## OVERLAPPING REGISTER ALLOCATION +#define optr x2h +#define iptr x2l +#define ilen x3h +#define mode x3l +#define t1h x4h +#define t1l x4l + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | optr | optr | optr | optr | +## 12 | \---- | iptr | iptr | iptr cur | iptr cur | +## 16 | state x2h | state x2h | state x2h | | | +## 20 | | x2l | | x2l | | x2l | state x2l | state x2l | +## 24 | | x3h | | x3h | | x3h | \---- x3h | \---- x3h | +## 28 | | x3l | \---- x3l | \---- x3l | | | +## 32 | | x4h | ilen | ilen | ilen cur | ilen cur | +## 36 | \---- x4l | mode cur | mode cur | olen | olen | +## 40 | key k0h | key k0h | key k1h | | | +## 44 | | k0l | | k0l | | k1l | lr | lr | +## 48 | | k1h | | k1h | | k2h +------------+-----------+ +## 52 | \---- k1l | \---- k1l | | k2l | +## 56 | | | \---- k0h | +## 60 | optr cur | optr cur | optr cur | +## 64 | iptr cur | iptr cur | iptr cur | +## 68 | ilen cur | ilen cur | ilen cur | +## 72 | mode cur | lr2 | lr2 | +## 76 | optr | lr | lr | +## 80 | iptr +-----------+-----------+ +## 84 | ilen | | | +## 88 | lr2 | | | +## 92 | lr +-----------+-----------+ +## 96 +-----------+ kptr arg | kptr arg | +## 100 | | mode arg | mode arg | +## 104 | +-----------+-----------+ +## 108 +-----------+ +## 112 | kptr arg | +## 116 | mode arg | +## 120 +-----------+ + +## ASCON128 +#define RATE 8 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 6 +#define PB_START_ROUND 0x96 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_state 16 +#define S_key 40 +#define S_optr_cur 60 +#define S_iptr_cur 64 +#define S_ilen_cur 68 +#define S_mode_cur 36 +#define S_optr 8 +#define S_iptr 12 +#define S_ilen 32 +#define S_lr2 72 +#define S_lr 76 +#define S_kptr_arg 96 +#define S_mode_arg 100 + +.macro sbox x0, x1, x2, x3, x4, r0, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + movi \t0, -1 + xor \x4, \x4, \t0 + xor \t0, \x1, \x2 + or \x4, \x4, \x3 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \x0, \x0, \t0 + movi \t0, -1 + xor \t1, \t1, \t0 + and \x1, \x1, \t1 + xor \x1, \x1, \t2 + mov \r0, \x0 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + ssai \r0 + src \dl, \sh0, \sl0 + src \dh, \sl0, \sh0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh + ssai \r1 + src \t0, \sh1, \sl1 + src \sh, \sl1, \sh1 + xor \dl, \dl, \t0 + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in a6 .. a9 and sp + 16 .. sp + 36 + # start round in a2 + # temporaries in a3, a4, a5 + l32i x2h, a1, (S_state + 0) + l32i x2l, a1, (S_state + 4) + l32i x3h, a1, (S_state + 8) + l32i x3l, a1, (S_state + 12) +.globl ascon_permute_noload +.type ascon_permute_noload,@function +ascon_permute_noload: + # state in a6 .. a15 + # start round constant in a2 + # round count in a3 + # temporaries in a3, a4, a5 + + # ESP32 zero-overhead looping + floop a3, Ploop +.LPloop: + # round constant + xor x2l, x2l, a2 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t0l, a3 + sbox x0h, x1h, x2h, x3h, x4h, t0h, t0h, x0l, a3 + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, a3 + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, a3 + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, a3 + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, a3 + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, a3 + + # condition + addi a2, a2, -15 + + floopend a3, Ploop +.LPend: + s32i x2h, a1, (S_state + 0) + s32i x2l, a1, (S_state + 4) + s32i x3h, a1, (S_state + 8) + s32i x3l, a1, (S_state + 12) + ret + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in a4, a5, a14, a15 + # temporaries in a2 + ssai 8 + srli a2, t1h, 16 + src a2, a2, t1h + src a2, a2, a2 + src t1h, t1h, a2 + + srli a2, t1l, 16 + src a2, a2, t1l + src a2, a2, a2 + src t1l, t1l, a2 + +.globl ascon_rev8_half +.type ascon_rev8_half,@function +ascon_rev8_half: + ssai 8 + srli a2, t0h, 16 + src a2, a2, t0h + src a2, a2, a2 + src t0h, t0h, a2 + + srli a2, t0l, 16 + src a2, a2, t0l + src a2, a2, a2 + src t0l, t0l, a2 + + ret + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in a2 + # src in a3 + # temporaries in a4, a5 + movi a4, 0 + j .LMcond +.LMloop: + l8ui a5, a3, 0 + s8i a5, a2, 0 + addi a2, a2, 1 + addi a3, a3, 1 + addi a4, a4, 1 +.LMcond: + bltu a4, ilen, .LMloop +.LMend: + ret + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + s32i a0, a1, S_lr2 + j .LDcond + +.LDloop: + l32i t0h, iptr, 0 + l32i t0l, iptr, 4 + call0 ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDsqueeze: + beqz a13, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + ssai 8 + srli a2, x0h, 16 + src a2, a2, x0h + src a2, a2, a2 + src a2, x0h, a2 + s32i a2, optr, 0 + + srli a2, x0l, 16 + src a2, a2, x0l + src a2, a2, a2 + src a2, x0l, a2 + s32i a2, optr, 4 + +.LDreset: + bgez mode, .LDpermute + mov x0h, t0h + mov x0l, t0l + +.LDpermute: + s32i optr, a1, S_optr_cur + s32i iptr, a1, S_iptr_cur + s32i ilen, a1, S_ilen_cur + movi a2, PB_START_ROUND + movi a3, PB_ROUNDS + call0 ascon_permute + l32i optr, a1, S_optr_cur + l32i iptr, a1, S_iptr_cur + l32i ilen, a1, S_ilen_cur + l32i mode, a1, S_mode_cur + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + bgeui ilen, RATE, .LDloop + +.LDend: + movi a2, 0 + s32i a2, a1, 0 + s32i a2, a1, 4 + + mov a2, a1 + mov a3, iptr + call0 ascon_memcpy + + movi a4, 0x80 + add a2, a1, ilen + l8ui a3, a2, 0 + xor a3, a3, a4 + s8i a3, a2, 0 + + l32i t0h, a1, 0 + l32i t0l, a1, 4 + call0 ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDendsqueeze: + beqz mode, .LDendreset + + mov t0h, x0h + mov t0l, x0l + call0 ascon_rev8_half + s32i t0h, a1, 0 + s32i t0l, a1, 4 + + mov a2, optr + mov a3, a1 + call0 ascon_memcpy + +.LDendreset: + bgez mode, .LDreturn + + mov a2, a1 + mov a3, iptr + call0 ascon_memcpy + + l32i t0h, a1, 0 + l32i t0l, a1, 4 + call0 ascon_rev8_half + mov x0h, t0h + mov x0l, t0l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + l32i a0, a1, S_lr2 + ret + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + abi_entry 80, 4 + s32i a0, a1, S_lr + s32i a2, a1, S_optr + s32i a3, a1, S_iptr + s32i a4, a1, S_ilen + s32i a5, a1, S_iptr_cur + s32i a6, a1, S_ilen_cur + + # load key + l32i a2, a1, S_kptr_arg + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + s32i t0h, a1, (S_key + 0) + s32i t0l, a1, (S_key + 4) + s32i t1h, a1, (S_key + 8) + s32i t1l, a1, (S_key + 12) + mov x1h, t0h + mov x1l, t0l + mov x2h, t1h + mov x2l, t1l + + # load nonce + # a7 is not clobbered by ascon_rev8 + # a7 does not overlap x1, x2, t0, or t1 + # x4 overlaps t1, move unnecessary + mov a2, a7 + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + mov x3h, t0h + mov x3l, t0l + + # load IV + # this clobbers a7 + movi x0h, IVh + movi x0l, IVl + + movi a2, PA_START_ROUND + movi a3, PA_ROUNDS + call0 ascon_permute_noload + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x3h, x3h, t0h + xor x3l, x3l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x4h, x4h, t0h + xor x4l, x4l, t0l + + # save state + s32i x2h, a1, (S_state + 0) + s32i x2l, a1, (S_state + 4) + s32i x3h, a1, (S_state + 8) + s32i x3l, a1, (S_state + 12) + + l32i ilen, a1, S_ilen_cur + beqz ilen, .LCskipad + + l32i iptr, a1, S_iptr_cur + movi mode, 0 + s32i mode, a1, S_mode_cur + call0 ascon_duplex + + movi a2, PB_START_ROUND + movi a3, PB_ROUNDS + call0 ascon_permute + +.LCskipad: + movi a2, 1 + xor x4l, x4l, a2 + + l32i optr, a1, S_optr + l32i iptr, a1, S_iptr + l32i ilen, a1, S_ilen + l8ui mode, a1, S_mode_arg + sext mode, mode, 7 + s32i mode, a1, S_mode_cur + call0 ascon_duplex + s32i optr, a1, S_optr_cur + s32i iptr, a1, S_iptr_cur + + # restore state + l32i x2h, a1, (S_state + 0) + l32i x2l, a1, (S_state + 4) + l32i x3h, a1, (S_state + 8) + l32i x3l, a1, (S_state + 12) + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x1h, x1h, t0h + xor x1l, x1l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x2h, x2h, t0h + xor x2l, x2l, t0l + + movi a2, PA_START_ROUND + movi a3, PA_ROUNDS + call0 ascon_permute_noload + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x3h, x3h, t0h + xor x3l, x3l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x4h, x4h, t0h + xor x4l, x4l, t0l + + l32i a2, a1, S_mode_cur + bgez a2, .LCencrypt +.LCdecrypt: + + # save x4 into x0 + # x0 is no longer needed + # x4 overlaps t1 + mov x0h, x4h + mov x0l, x4l + + l32i a2, a1, S_iptr_cur + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + + # check tag + # x4 is in x0 + xor a2, x3h, t0h + xor a3, x3l, t0l + xor a2, a2, a3 + xor a3, x0h, t1h + xor a2, a2, a3 + xor a3, x0l, t1l + xor a2, a2, a3 + + beqz a2, .LCzeroreturn + movi a2, -1 + j .LCreturn +.LCencrypt: + + # store tag + # x4 overlaps t1, move unnecessary + mov t0h, x3h + mov t0l, x3l + call0 ascon_rev8 + l32i a2, a1, S_optr_cur + s32i t0h, a2, 0 + s32i t0l, a2, 4 + s32i t1h, a2, 8 + s32i t1l, a2, 12 + +.LCzeroreturn: + movi a2, 0 +.LCreturn: + l32i a0, a1, S_lr + abi_return diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/decrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/implementors b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_esp32/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/api.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.S b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.S new file mode 100644 index 0000000..d925435 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.S @@ -0,0 +1,437 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128a +#define RATE 8 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 6 +#define PB_START_ROUND 0x96 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xor \t0, \x1, \x2 + orn \x4, \x3, \x4 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + andn \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + fsri \dl, \sl0, \sh0, \r0 + fsri \dh, \sh0, \sl0, \r0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh + fsri \t0, \sl1, \sh1, \r1 + fsri \sh, \sh1, \sl1, \r1 + xor \dl, \dl, \t0 + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant in t1 + # temporaries in t3, t4, t5 + # link register in t0 + li t1l, 0x4b +.LPloop: + # round constant + xor x2l, x2l, t1 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, t1h + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, t1h + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, t1h + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, t1h + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, t1h + + # condition + addi t1, t1, -15 + bge t1, t1l, .LPloop + +.LPend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + rev8 t1h, t1h + rev8 t1l, t1l +.align 4 +.globl ascon_rev8_half +.type ascon_rev8_half,@function +ascon_rev8_half: + rev8 t0h, t0h + rev8 t0l, t0l + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + jal t0, ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + rev8 t0, x0h + sw t0, 0(optr) + rev8 t0, x0l + sw t0, 4(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + +.LDpermute: + li t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + jal t0, ascon_rev8_half + sw t0h, 0(sp) + sw t0l, 4(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_rev8_half + mv x0h, t0h + mv x0l, t0l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + fsr \x1, \x1, \x2, \t1 + fsr \x2, \x2, \x3, \t1 + fsr \x3, \x3, \x4, \t1 + fsr \x4, \x4, \t0, \t1 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVh + li x0l, IVl + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + li t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x1h, x1h, k0h + xor x1l, x1l, k0l + xor x2h, x2h, k1h + xor x2l, x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1 + jal t0, ascon_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/decrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/implementors b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_fsr_rv32b/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/api.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.S b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.S new file mode 100644 index 0000000..33c6139 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.S @@ -0,0 +1,454 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128 +#define RATE 8 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 6 +#define PB_START_ROUND 0x96 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xor \t0, \x1, \x2 + orn \x4, \x3, \x4 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + andn \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + slli \dh, \sl0, (32 - \r0) + srli \t0, \sh0, \r0 + xor \dh, \dh, \t0 + slli \t0, \sl1, (32 - \r1) + xor \dh, \dh, \t0 + srli \t0, \sh1, \r1 + xor \dh, \dh, \t0 + slli \dl, \sh0, (32 - \r0) + srli \t0, \sl0, \r0 + xor \dl, \dl, \t0 + slli \t0, \sh1, (32 - \r1) + xor \dl, \dl, \t0 + srli \t0, \sl1, \r1 + xor \dl, \dl, \t0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant in t1 + # temporaries in t3, t4, t5 + # link register in t0 + li t1l, 0x4b +.LPloop: + # round constant + xor x2l, x2l, t1 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, t1h + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, t1h + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, t1h + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, t1h + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, t1h + + # condition + addi t1, t1, -15 + bge t1, t1l, .LPloop + +.LPend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + rev8 t1h, t1h + rev8 t1l, t1l +.align 4 +.globl ascon_rev8_half +.type ascon_rev8_half,@function +ascon_rev8_half: + rev8 t0h, t0h + rev8 t0l, t0l + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + jal t0, ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + rev8 t0, x0h + sw t0, 0(optr) + rev8 t0, x0l + sw t0, 4(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + +.LDpermute: + li t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + jal t0, ascon_rev8_half + sw t0h, 0(sp) + sw t0l, 4(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_rev8_half + mv x0h, t0h + mv x0l, t0l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1, t2, t3 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + sub \t2, zero, \t1 + srl \x1, \x1, \t1 + sll \t3, \x2, \t2 + or \x1, \x1, \t3 + srl \x2, \x2, \t1 + sll \t3, \x3, \t2 + or \x2, \x2, \t3 + srl \x3, \x3, \t1 + sll \t3, \x4, \t2 + or \x3, \x3, \t3 + srl \x4, \x4, \t1 + sll \t3, \t0, \t2 + or \x4, \x4, \t3 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVh + li x0l, IVl + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + li t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x1h, x1h, k0h + xor x1l, x1l, k0l + xor x2h, x2h, k1h + xor x2l, x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1, t2, k0h + jal t0, ascon_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/decrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/implementors b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32b/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/api.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.S b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.S new file mode 100644 index 0000000..0a16299 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.S @@ -0,0 +1,468 @@ +#include "api.h" + +## REGISTER ALLOCATION +#define t0h t3 +#define t0l t4 +#define t1h t5 +#define t1l t6 +#define x0h s0 +#define x0l s1 +#define x1h s2 +#define x1l s3 +#define x2h s4 +#define x2l s5 +#define x3h s6 +#define x3l s7 +#define x4h s8 +#define x4l s9 +#define k0h s10 +#define k0l s11 +#define k1h a5 +#define k1l a6 + +## OVERLAPPING REGISTER ALLOCATION +#define optr a0 +#define iptr a3 +#define ilen a4 +#define mode a7 + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | | | | | +## 12 | \---- | | | | | +## 16 | | | key k2h | | | +## 20 | optr | optr | optr | optr | optr | +## 24 | mode | mode | mode | | | +## 28 | saved s11 | saved s11 | saved s11 | saved s11 | saved s11 | +## 32 | saved s10 | saved s10 | saved s10 | saved s10 | saved s10 | +## 36 | saved s9 | saved s9 | saved s9 | saved s9 | saved s9 | +## 40 | saved s8 | saved s8 | saved s8 | saved s8 | saved s8 | +## 44 | saved s7 | saved s7 | saved s7 | saved s7 | saved s7 | +## 48 | saved s6 | saved s6 | saved s6 | saved s6 | saved s6 | +## 52 | saved s5 | saved s5 | saved s5 | saved s5 | saved s5 | +## 56 | saved s4 | saved s4 | saved s4 | saved s4 | saved s4 | +## 60 | saved s3 | saved s3 | saved s3 | saved s3 | saved s3 | +## 64 | saved s2 | saved s2 | saved s2 | saved s2 | saved s2 | +## 68 | saved s1 | saved s1 | saved s1 | saved s1 | saved s1 | +## 72 | saved s0 | saved s0 | saved s0 | saved s0 | saved s0 | +## 76 | saved ra | saved ra | saved ra | saved ra | saved ra | +## 80 +-----------+-----------+-----------+------------+-----------+ + +## ASCON128 +#define RATE 8 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 6 +#define PB_START_ROUND 0x96 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_key 16 +#define S_optr 20 +#define S_mode 24 + +.macro sbox x0, x1, x2, x3, x4, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + xori \x4, \x4, -1 + xor \t0, \x1, \x2 + or \x4, \x4, \x3 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \t0, \t0, \x0 + xori \t1, \t1, -1 + and \x1, \x1, \t1 + xor \x1, \x1, \t2 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + slli \dh, \sl0, (32 - \r0) + srli \t0, \sh0, \r0 + xor \dh, \dh, \t0 + slli \t0, \sl1, (32 - \r1) + xor \dh, \dh, \t0 + srli \t0, \sh1, \r1 + xor \dh, \dh, \t0 + slli \dl, \sh0, (32 - \r0) + srli \t0, \sl0, \r0 + xor \dl, \dl, \t0 + slli \t0, \sh1, (32 - \r1) + xor \dl, \dl, \t0 + srli \t0, \sl1, \r1 + xor \dl, \dl, \t0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in s0 .. s9 + # start round constant in t1 + # temporaries in t3, t4, t5 + # link register in t0 + li t1l, 0x4b +.LPloop: + # round constant + xor x2l, x2l, t1 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t1h + sbox x0h, x1h, x2h, x3h, x4h, t0h, x0l, t1h + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, t1h + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, t1h + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, t1h + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, t1h + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, t1h + + # condition + addi t1, t1, -15 + bge t1, t1l, .LPloop + +.LPend: + jalr zero, 0(t0) + +.macro rev8 d, x, t0, t1 + slli \t0, \x, 24 + srli \d, \x, 8 + or \d, \d, \t0 + srli \t0, \d, 16 + xor \t0, \t0, \d + andi \t0, \t0, 0xff + slli \t1, \t0, 16 + xor \t0, \t0, \t1 + xor \d, \d, \t0 +.endm + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in t3, t4, t5, t6 + # temporaries in t1, t2 + # link register in t0 + rev8 t1h, t1h, t1, t2 + rev8 t1l, t1l, t1, t2 +.align 4 +.globl ascon_rev8_half +.type ascon_rev8_half,@function +ascon_rev8_half: + rev8 t0h, t0h, t1, t2 + rev8 t0l, t0l, t1, t2 + jalr zero, 0(t0) + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in t1 + # src in t2 + # len in a4 + # temporaries in t3, t4 + # link register in t0 + li t3, 0 + j .LMcond +.LMloop: + lbu t4, 0(t2) + sb t4, 0(t1) + addi t1, t1, 1 + addi t2, t2, 1 + addi t3, t3, 1 +.LMcond: + blt t3, ilen, .LMloop +.LMend: + jalr zero, 0(t0) + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + j .LDcond + +.LDloop: + lw t0h, 0(iptr) + lw t0l, 4(iptr) + jal t0, ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDsqueeze: + beq mode, zero, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + rev8 t0, x0h, t1, t2 + sw t0, 0(optr) + rev8 t0, x0l, t1, t2 + sw t0, 4(optr) + +.LDreset: + bge mode, zero, .LDpermute + mv x0h, t0h + mv x0l, t0l + +.LDpermute: + li t1, PB_START_ROUND + jal t0, ascon_permute + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + li t0, RATE + bge ilen, t0, .LDloop + +.LDend: + sw zero, 0(sp) + sw zero, 4(sp) + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + add t1, sp, ilen + lbu t0, 0(t1) + xori t0, t0, 0x80 + sb t0, 0(t1) + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDendsqueeze: + beq mode, zero, .LDendreset + + mv t0h, x0h + mv t0l, x0l + jal t0, ascon_rev8_half + sw t0h, 0(sp) + sw t0l, 4(sp) + + mv t1, optr + mv t2, sp + jal t0, ascon_memcpy + +.LDendreset: + bge mode, zero, .LDreturn + + mv t1, sp + mv t2, iptr + jal t0, ascon_memcpy + + lw t0h, 0(sp) + lw t0l, 4(sp) + jal t0, ascon_rev8_half + mv x0h, t0h + mv x0l, t0l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + ret + +.macro sw_unaligned x, off, a + sb \x, 0+\off(\a) + srli \x, \x, 8 + sb \x, 1+\off(\a) + srli \x, \x, 8 + sb \x, 2+\off(\a) + srli \x, \x, 8 + sb \x, 3+\off(\a) +.endm + +.macro lw_unaligned_4x x1, x2, x3, x4, a, t0, t1, t2, t3 + andi \t0, \a, -4 + lw \x1, 0(\t0) + lw \x2, 4(\t0) + lw \x3, 8(\t0) + lw \x4, 12(\t0) + beq \t0, \a, 1f + lw \t0, 16(\t0) + andi \t1, \a, 3 + slli \t1, \t1, 3 + sub \t2, zero, \t1 + srl \x1, \x1, \t1 + sll \t3, \x2, \t2 + or \x1, \x1, \t3 + srl \x2, \x2, \t1 + sll \t3, \x3, \t2 + or \x2, \x2, \t3 + srl \x3, \x3, \t1 + sll \t3, \x4, \t2 + or \x3, \x3, \t3 + srl \x4, \x4, \t1 + sll \t3, \t0, \t2 + or \x4, \x4, \t3 + 1: +.endm + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + # ascon algorithm + # sets up state in s0 .. s9 + # outptr in a0 + # inptr in a1 + # inlen in a2 + # adptr in a3 (later used as inptr) + # adlen in a4 (later used as inlen) + # nptr in a5 (later used as k1h) + # kptr in a6 (later used as k1l) + # mode in a7 (1 enc, 0 ad, -1 dec) + # link register in ra + addi sp, sp, -80 + sw ra, 76(sp) + sw s0, 72(sp) + sw s1, 68(sp) + sw s2, 64(sp) + sw s3, 60(sp) + sw s4, 56(sp) + sw s5, 52(sp) + sw s6, 48(sp) + sw s7, 44(sp) + sw s8, 40(sp) + sw s9, 36(sp) + sw s10, 32(sp) + sw s11, 28(sp) + + # sign-extend mode + slli a7, a7, 24 + srai a7, a7, 24 + + lw t0h, 0(a5) + lw t0l, 4(a5) + lw t1h, 8(a5) + lw t1l, 12(a5) + jal t0, ascon_rev8 + mv x3h, t0h + mv x3l, t0l + mv x4h, t1h + mv x4l, t1l + + lw t0h, 0(a6) + lw t0l, 4(a6) + lw t1h, 8(a6) + lw t1l, 12(a6) + jal t0, ascon_rev8 + mv k0h, t0h + mv k0l, t0l + mv k1h, t1h + mv k1l, t1l + + li x0h, IVh + li x0l, IVl + mv x1h, k0h + mv x1l, k0l + mv x2h, k1h + mv x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + beq ilen, zero, .LCskipad + + sw optr, S_optr(sp) + sw mode, S_mode(sp) + mv mode, zero + jal ra, ascon_duplex + lw optr, S_optr(sp) + lw mode, S_mode(sp) + + li t1, PB_START_ROUND + jal t0, ascon_permute + +.LCskipad: + xori x4l, x4l, 1 + + mv iptr, a1 + mv ilen, a2 + jal ra, ascon_duplex + + xor x1h, x1h, k0h + xor x1l, x1l, k0l + xor x2h, x2h, k1h + xor x2l, x2l, k1l + + li t1, PA_START_ROUND + jal t0, ascon_permute + + xor x3h, x3h, k0h + xor x3l, x3l, k0l + xor x4h, x4h, k1h + xor x4l, x4l, k1l + + bge mode, zero, .LCencrypt +.LCdecrypt: + lw_unaligned_4x t0h, t0l, t1h, t1l, iptr, t0, t1, t2, k0h + jal t0, ascon_rev8 + + xor t0, x3h, t0h + xor t1, x3l, t0l + xor t0, t0, t1 + xor t1, x4h, t1h + xor t0, t0, t1 + xor t1, x4l, t1l + xor t0, t0, t1 + + beq t0, zero, .LCzeroreturn + li a0, -1 + j .LCreturn +.LCencrypt: + + mv t0h, x3h + mv t0l, x3l + mv t1h, x4h + mv t1l, x4l + jal t0, ascon_rev8 + sw_unaligned t0h, 0, optr + sw_unaligned t0l, 4, optr + sw_unaligned t1h, 8, optr + sw_unaligned t1l, 12, optr + +.LCzeroreturn: + li a0, 0 +.LCreturn: + lw ra, 76(sp) + lw s0, 72(sp) + lw s1, 68(sp) + lw s2, 64(sp) + lw s3, 60(sp) + lw s4, 56(sp) + lw s5, 52(sp) + lw s6, 48(sp) + lw s7, 44(sp) + lw s8, 40(sp) + lw s9, 36(sp) + lw s10, 32(sp) + lw s11, 28(sp) + addi sp, sp, 80 + jalr zero, 0(ra) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/decrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/implementors b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/asm_rv32i/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/api.h b/ascon/Implementations/crypto_aead/ascon128v12/avx512/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/avx512/ascon.h index 7ead350..d29f5c2 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/ascon.h @@ -8,15 +8,21 @@ typedef union { __m512i z; - struct { - word_t x0, x1, x2, x3, x4, x5, x6, x7; - }; + uint64_t x[5]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} akey_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const akey_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const akey_t* k); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/avx512/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/avx512/encrypt.c new file mode 100644 index 0000000..4d28e3d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/encrypt.c @@ -0,0 +1,238 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#define AVX512_SHUFFLE_U64BIG \ + _mm512_set_epi8(-1, -1, -1, -1, -1, -1, -1, -1, /* word 7 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 6 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 5 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 4 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 3 */ \ + -1, -1, -1, -1, -1, -1, -1, -1, /* word 2 */ \ + 8, 9, 10, 11, 12, 13, 14, 15, /* word 1 */ \ + 0, 1, 2, 3, 4, 5, 6, 7) /* word 0 */ + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(akey_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const akey_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const __m512i u64big = AVX512_SHUFFLE_U64BIG; + const int mask = (ASCON_AEAD_RATE == 8) ? 0xff : 0xffff; + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + state_t r = *s, t; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + t.z = _mm512_maskz_loadu_epi8(mask, ad); + t.z = _mm512_maskz_shuffle_epi8(mask, t.z, u64big); + r.z = _mm512_xor_epi64(r.z, t.z); + printstate("absorb adata", &r); + P(&r, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + *s = r; + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const __m512i u64big = AVX512_SHUFFLE_U64BIG; + const int mask = (ASCON_AEAD_RATE == 8) ? 0xff : 0xffff; + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + state_t r = *s, t; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + t.z = _mm512_maskz_loadu_epi8(mask, m); + t.z = _mm512_maskz_shuffle_epi8(mask, t.z, u64big); + r.z = _mm512_xor_epi64(r.z, t.z); + t.z = _mm512_maskz_shuffle_epi8(mask, r.z, u64big); + _mm512_mask_storeu_epi8(c, mask, t.z); + printstate("absorb plaintext", &r); + P(&r, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + *s = r; + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const __m512i u64big = AVX512_SHUFFLE_U64BIG; + const int mask = (ASCON_AEAD_RATE == 8) ? 0xff : 0xffff; + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + state_t r = *s, t, u; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + t.z = _mm512_maskz_loadu_epi8(mask, c); + t.z = _mm512_maskz_shuffle_epi8(mask, t.z, u64big); + r.z = _mm512_xor_epi64(r.z, t.z); + u.z = _mm512_maskz_shuffle_epi8(mask, r.z, u64big); + r.z = _mm512_mask_blend_epi8(mask, r.z, t.z); + _mm512_mask_storeu_epi8(m, mask, u.z); + printstate("insert ciphertext", &r); + P(&r, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + *s = r; + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const akey_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + akey_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + akey_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/round.h b/ascon/Implementations/crypto_aead/ascon128v12/avx512/round.h index 733d332..11d01ac 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/round.h @@ -4,21 +4,7 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint64_t C) { uint64_t x = 0; __mmask8 mxor1 = 0x15; __mmask8 mxor2 = 0x0b; @@ -48,4 +34,8 @@ forceinline void ROUND(state_t* s, word_t C) { printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + for (int i = START(nr); i != END; i += INC) ROUND(s, (i)); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/avx512/word.h b/ascon/Implementations/crypto_aead/ascon128v12/avx512/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/avx512/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/avx512/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/config.h index 9568d5b..5d155e0 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/config.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 1 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32/encrypt.c index 8b648a2..631e60c 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/encrypt.c @@ -1,109 +1,220 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define RATE (64 / 8) -#define PA_ROUNDS 12 -#define PB_ROUNDS 6 -#define IV \ - ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \ - (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32) +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { - u32_2 K0, K1, N0, N1; - u32_2 x0, x1, x2, x3, x4; - u32_2 t0, t1, t2, t3, t4; - u64 tmp0, tmp1; - u32 i; - (void)nsec; - - // set ciphertext size - *clen = mlen + CRYPTO_ABYTES; +#ifdef ASCON_AEAD_RATE - // load key and nonce - to_bit_interleaving(K0, U64BIG(*(u64*)k)); - to_bit_interleaving(K1, U64BIG(*(u64*)(k + 8))); - to_bit_interleaving(N0, U64BIG(*(u64*)npub)); - to_bit_interleaving(N1, U64BIG(*(u64*)(npub + 8))); +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - // initialization - to_bit_interleaving(x0, IV); - x1.o = K0.o; - x1.e = K0.e; - x2.e = K1.e; - x2.o = K1.o; - x3.e = N0.e; - x3.o = N0.o; - x4.e = N1.e; - x4.o = N1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - // process associated data +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - while (adlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)ad)); - x0.e ^= t0.e; - x0.o ^= t0.o; - P6(); - adlen -= RATE; - ad += RATE; + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; } - tmp0 = 0; - for (i = 0; i < adlen; ++i, ++ad) tmp0 |= INS_BYTE64(*ad, i); - tmp0 |= INS_BYTE64(0x80, adlen); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - P6(); + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - x4.e ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - // process plaintext - while (mlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)m)); - x0.e ^= t0.e; - x0.o ^= t0.o; - from_bit_interleaving(tmp0, x0); - *(u64*)c = U64BIG(tmp0); - P6(); - mlen -= RATE; - m += RATE; - c += RATE; +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; } - tmp0 = 0; - for (i = 0; i < mlen; ++i, ++m) tmp0 |= INS_BYTE64(*m, i); - tmp0 |= INS_BYTE64(0x80, mlen); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - from_bit_interleaving(tmp0, x0); - for (i = 0; i < mlen; ++i, ++c) *c = EXT_BYTE64(tmp0, i); + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} - // finalization - x1.e ^= K0.e; - x1.o ^= K0.o; - x2.e ^= K1.e; - x2.o ^= K1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - // set tag - from_bit_interleaving(tmp0, x3); - *(u64*)c = U64BIG(tmp0); - from_bit_interleaving(tmp1, x4); - *(u64*)(c + 8) = U64BIG(tmp1); +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.h index 7dfa822..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/interleave.h @@ -3,47 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -forceinline uint32_t deinterleave_uint32(uint32_t x) { +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); return x; } -forceinline uint32_t interleave_uint32(uint32_t x) { +forceinline uint32_t interleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); return x; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); uint32_t hi = in >> 32; uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); } #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/round.h index cd8ec34..772d7f2 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/round.h @@ -4,49 +4,43 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint64_t C) { state_t t; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - t.x0 = XOR(s->x0, AND(NOT(s->x1), s->x2)); - t.x2 = XOR(s->x2, AND(NOT(s->x3), s->x4)); - t.x4 = XOR(s->x4, AND(NOT(s->x0), s->x1)); - t.x1 = XOR(s->x1, AND(NOT(s->x2), s->x3)); - t.x3 = XOR(s->x3, AND(NOT(s->x4), s->x0)); - t.x1 = XOR(t.x1, t.x0); - t.x3 = XOR(t.x3, t.x2); - t.x0 = XOR(t.x0, t.x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; /* linear layer */ - s->x2 = XOR(t.x2, ROR(t.x2, 6 - 1)); - s->x3 = XOR(t.x3, ROR(t.x3, 17 - 10)); - s->x4 = XOR(t.x4, ROR(t.x4, 41 - 7)); - s->x0 = XOR(t.x0, ROR(t.x0, 28 - 19)); - s->x1 = XOR(t.x1, ROR(t.x1, 61 - 39)); - s->x2 = XOR(t.x2, ROR(s->x2, 1)); - s->x3 = XOR(t.x3, ROR(s->x3, 10)); - s->x4 = XOR(t.x4, ROR(s->x4, 7)); - s->x0 = XOR(t.x0, ROR(s->x0, 19)); - s->x1 = XOR(t.x1, ROR(s->x1, 39)); - s->x2 = NOT(s->x2); + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/architectures b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/config.h new file mode 100644 index 0000000..5d155e0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/implementors b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/round.h new file mode 100644 index 0000000..a52ca55 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/round.h @@ -0,0 +1,229 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/architectures b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/config.h new file mode 100644 index 0000000..c6afcc6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/implementors b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/round.h new file mode 100644 index 0000000..76679e7 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/round.h @@ -0,0 +1,325 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "ldrb %[tmp2], [%[tmp1], #0]\n\t" + "push {%[tmp0]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" + "ldrb %[tmp2], [%[tmp1], #1]\n\t" + "add %[tmp1], %[tmp1], #2\n\t" + "movs %[tmp0], %[x2_h]\n\t" + "push {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "pop {%[tmp1]}\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "pop {%[tmp0]}\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + "cmp %[tmp1], %[tmp0]\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "+l"(E), [ tmp2 ] "=l"(tmp1) + : + :); + printstate(" round output", s); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp1], %[C_e]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "movs %[x0_l], %[C_o]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C_e ] "ri"((uint32_t)C), [ C_o ] "ri"((uint32_t)(C >> 32)) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv6m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/architectures b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/config.h new file mode 100644 index 0000000..3070584 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/implementors b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/config.h new file mode 100644 index 0000000..525682c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_armv7m_small/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/config.h index ca30428..d9e51c1 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/config.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/encrypt.c index 47595f9..631e60c 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/encrypt.c @@ -1,109 +1,220 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define RATE (64 / 8) -#define PA_ROUNDS 12 -#define PB_ROUNDS 6 -#define IV \ - ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \ - (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32) +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { - u32_2 K0, K1, N0, N1; - u32_2 x0, x1, x2, x3, x4; - u32_2 t0; - u64 tmp0; - u32 i; - (void)nsec; - - // set ciphertext size - *clen = mlen + CRYPTO_ABYTES; +#ifdef ASCON_AEAD_RATE - // load key and nonce - to_bit_interleaving(K0, U64BIG(*(u64*)k)); - to_bit_interleaving(K1, U64BIG(*(u64*)(k + 8))); - to_bit_interleaving(N0, U64BIG(*(u64*)npub)); - to_bit_interleaving(N1, U64BIG(*(u64*)(npub + 8))); +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - // initialization - to_bit_interleaving(x0, IV); - x1.o = K0.o; - x1.e = K0.e; - x2.e = K1.e; - x2.o = K1.o; - x3.e = N0.e; - x3.o = N0.o; - x4.e = N1.e; - x4.o = N1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - // process associated data +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - while (adlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)ad)); - x0.e ^= t0.e; - x0.o ^= t0.o; - P6(); - adlen -= RATE; - ad += RATE; + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; } - tmp0 = 0; - for (i = 0; i < adlen; ++i, ++ad) tmp0 |= INS_BYTE64(*ad, i); - tmp0 |= INS_BYTE64(0x80, adlen); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - P6(); + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - x4.e ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - // process plaintext - while (mlen >= RATE) { - to_bit_interleaving(t0, U64BIG(*(u64*)m)); - x0.e ^= t0.e; - x0.o ^= t0.o; - from_bit_interleaving(tmp0, x0); - *(u64*)c = U64BIG(tmp0); - P6(); - mlen -= RATE; - m += RATE; - c += RATE; +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; } - tmp0 = 0; - for (i = 0; i < mlen; ++i, ++m) tmp0 |= INS_BYTE64(*m, i); - tmp0 |= INS_BYTE64(0x80, mlen); - to_bit_interleaving(t0, tmp0); - x0.e ^= t0.e; - x0.o ^= t0.o; - from_bit_interleaving(tmp0, x0); - for (i = 0; i < mlen; ++i, ++c) *c = EXT_BYTE64(tmp0, i); + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} - // finalization - x1.e ^= K0.e; - x1.o ^= K0.o; - x2.e ^= K1.e; - x2.o ^= K1.o; - P12(); - x3.e ^= K0.e; - x3.o ^= K0.o; - x4.e ^= K1.e; - x4.o ^= K1.o; +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - // set tag - from_bit_interleaving(tmp0, x3); - *(u64*)c = U64BIG(tmp0); - from_bit_interleaving(tmp0, x4); - *(u64*)(c + 8) = U64BIG(tmp0); +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.h index 7dfa822..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/interleave.h @@ -3,47 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -forceinline uint32_t deinterleave_uint32(uint32_t x) { +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); return x; } -forceinline uint32_t interleave_uint32(uint32_t x) { +forceinline uint32_t interleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); return x; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); uint32_t hi = in >> 32; uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); } #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowreg/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/ascon.h index 471e4a5..70a4dee 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/ascon.h @@ -5,10 +5,20 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + #define ASCON_ABSORB 0x1 #define ASCON_SQUEEZE 0x2 #define ASCON_INSERT 0x4 @@ -19,8 +29,8 @@ typedef struct { void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode); -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, const uint8_t* ad, uint64_t adlen, const uint8_t* npub, const uint8_t* k, uint8_t mode); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/config.h index a4f5879..525682c 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/config.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 0 +#define ASCON_INLINE_MODE 1 #endif /* inline all permutations */ @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/encrypt.c index 4a5b335..c6100f6 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/encrypt.c @@ -1,26 +1,95 @@ #include "api.h" #include "ascon.h" -#include "crypto_aead.h" #include "permutations.h" #include "printstate.h" -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, - const uint8_t* ad, uint64_t adlen, const uint8_t* npub, - const uint8_t* k, uint8_t mode); +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ state_t s; - (void)nsec; - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; - /* ascon encryption */ - ascon_aead(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); - /* set tag */ - STOREBYTES(c + mlen, s.x3, 8); - STOREBYTES(c + mlen + 8, s.x4, 8); - return 0; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.c index 321d0ce..effd40b 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.c @@ -1,42 +1,15 @@ #include "interleave.h" -static inline uint32_t deinterleave_uint32(uint32_t x) { - uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - return x; -} +#if !ASCON_EXTERN_BI -static inline uint32_t interleave_uint32(uint32_t x) { - uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - return x; -} +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t deinterleave32(uint64_t in) { - uint32_t hi = in >> 32; - uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; -} +#if !ASCON_INLINE_BI -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; -} +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.h index ab87afc..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/interleave.h @@ -3,9 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -uint64_t deinterleave32(uint64_t in); -uint64_t interleave32(uint64_t in); +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/update.c index 7a4baa8..b81b24e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/update.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/update.c @@ -3,30 +3,75 @@ #include "permutations.h" #include "printstate.h" +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode) { - const int rate = 8; - const int nr = 6; - word_t tmp0; - int n = 0; - while (len) { - /* determine block size */ - n = len < rate ? len : rate; +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { /* absorb data */ - tmp0 = LOAD(in, n); - s->x0 = XOR(s->x0, tmp0); +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } /* extract data */ - if (mode & ASCON_SQUEEZE) STORE(out, s->x0, n); + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } /* insert data */ if (mode & ASCON_INSERT) { - s->x0 = CLEAR(s->x0, n); - s->x0 = XOR(s->x0, tmp0); + s->x[i] = tmp; + printstate("insert ciphertext", s); } /* compute permutation for full blocks */ - if (n == rate) P(s, nr); - in += n; - out += n; - len -= n; +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; } - s->x0 = XOR(s->x0, PAD(n % 8)); + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi32_lowsize/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/api.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/config.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/config.h index f5873d0..525682c 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/config.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.c new file mode 100644 index 0000000..7801918 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.c @@ -0,0 +1,8 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint64_t constants[] = {RC0, RC1, RC2, RC3, RC4, RC5, + RC6, RC7, RC8, RC9, RCa, RCb}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.h new file mode 100644 index 0000000..6c38206 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8040000020301000ull +#define ASCON_128A_IV 0xc000000030200000ull +#define ASCON_80PQ_IV 0x8040800020301000ull +#define ASCON_HASH_IV 0x0040000020200002ull +#define ASCON_HASHA_IV 0x0040000020300002ull +#define ASCON_XOF_IV 0x0040000020200000ull +#define ASCON_XOFA_IV 0x0040000020300000ull + +#define ASCON_PRF_IV 0xe000000020200000ull +#define ASCON_MAC_IV 0xe100000020200000ull +#define ASCON_PRFS_IV 0x9020000020200000ull + +#define ASCON_HASH_IV0 0xfa8e976bb985dc4dull +#define ASCON_HASH_IV1 0xc8085072a40ccd94ull +#define ASCON_HASH_IV2 0xfe1781be5a847314ull +#define ASCON_HASH_IV3 0x2f871f6c6d0082b2ull +#define ASCON_HASH_IV4 0x7a1ba68850ec407eull + +#define ASCON_HASHA_IV0 0x194c0f180a5d41e4ull +#define ASCON_HASHA_IV1 0x7faa87825647f3a7ull +#define ASCON_HASHA_IV2 0x606dbe06db8da430ull +#define ASCON_HASHA_IV3 0xe0dd6bcf19fbce3bull +#define ASCON_HASHA_IV4 0x9720dc4446473d8bull + +#define ASCON_XOF_IV0 0x8a46f0d354e771b8ull +#define ASCON_XOF_IV1 0x04489f4084368cd0ull +#define ASCON_XOF_IV2 0x6c94f2150dbcf66cull +#define ASCON_XOF_IV3 0x48965294f143b44eull +#define ASCON_XOF_IV4 0x0788515fe0e5fb8aull + +#define ASCON_XOFA_IV0 0x4ab43d4f16a80d2cull +#define ASCON_XOFA_IV1 0xd0ae310bf0f619ceull +#define ASCON_XOFA_IV2 0xc08cf3c801d89cf3ull +#define ASCON_XOFA_IV3 0x3859d2094dac0b35ull +#define ASCON_XOFA_IV4 0xd274992be52b5357ull + +#define RC0 0x0101010100000000ull +#define RC1 0x0101010000000001ull +#define RC2 0x0101000100000100ull +#define RC3 0x0101000000000101ull +#define RC4 0x0100010100010000ull +#define RC5 0x0100010000010001ull +#define RC6 0x0100000100010100ull +#define RC7 0x0100000000010101ull +#define RC8 0x0001010101000000ull +#define RC9 0x0001010001000001ull +#define RCa 0x0001000101000100ull +#define RCb 0x0001000001000101ull + +#define RC(i) (constants[i]) +#define START(n) (12 - (n)) +#define INC 1 +#define END 12 + +extern const uint64_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/bi8/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.c index 659255b..1fa6134 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.c @@ -1,12 +1,9 @@ #include "interleave.h" -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t interleave8(uint64_t x) { - x = (x & 0xaa55aa55aa55aa55ull) | ((x & 0x00aa00aa00aa00aaull) << 7) | - ((x >> 7) & 0x00aa00aa00aa00aaull); - x = (x & 0xcccc3333cccc3333ull) | ((x & 0x0000cccc0000ccccull) << 14) | - ((x >> 14) & 0x0000cccc0000ccccull); - x = (x & 0xf0f0f0f00f0f0f0full) | ((x & 0x00000000f0f0f0f0ull) << 28) | - ((x >> 28) & 0x00000000f0f0f0f0ull); - return x; -} +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return interleave8(in); } + +uint64_t FROMBI(uint64_t in) { return interleave8(in); } + +#endif \ No newline at end of file diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.h index fa9e921..d8e7d12 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/interleave.h @@ -3,8 +3,35 @@ #include +#include "config.h" #include "forceinline.h" -uint64_t interleave8(uint64_t x); +#if ASCON_EXTERN_BI + +#define TOBI +#define FROMBI + +#elif ASCON_INLINE_BI + +#define TOBI interleave8 +#define FROMBI interleave8 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave8(uint64_t x) { + x = (x & 0xaa55aa55aa55aa55ull) | ((x & 0x00aa00aa00aa00aaull) << 7) | + ((x >> 7) & 0x00aa00aa00aa00aaull); + x = (x & 0xcccc3333cccc3333ull) | ((x & 0x0000cccc0000ccccull) << 14) | + ((x >> 14) & 0x0000cccc0000ccccull); + x = (x & 0xf0f0f0f00f0f0f0full) | ((x & 0x00000000f0f0f0f0ull) << 28) | + ((x >> 28) & 0x00000000f0f0f0f0ull); + return x; +} #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.c index b03de98..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.c @@ -1,19 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint64_t constants[12] = { - 0x0101010100000000ull, 0x0101010000000001ull, 0x0101000100000100ull, - 0x0101000000000101ull, 0x0100010100010000ull, 0x0100010000010001ull, - 0x0100000100010100ull, 0x0100000000010101ull, 0x0001010101000000ull, - 0x0001010001000001ull, 0x0001000101000100ull, 0x0001000001000101ull}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.h index f0d971a..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8040000020301000ull) -#define ASCON_128A_IV WORD_T(0xc000000030200000ull) -#define ASCON_80PQ_IV WORD_T(0x8040800020301000ull) -#define ASCON_HASH_IV WORD_T(0x0040000020200002ull) -#define ASCON_XOF_IV WORD_T(0x0040000020200000ull) - -#define ASCON_HASH_IV0 WORD_T(0xfa8e976bb985dc4dull) -#define ASCON_HASH_IV1 WORD_T(0xc8085072a40ccd94ull) -#define ASCON_HASH_IV2 WORD_T(0xfe1781be5a847314ull) -#define ASCON_HASH_IV3 WORD_T(0x2f871f6c6d0082b2ull) -#define ASCON_HASH_IV4 WORD_T(0x7a1ba68850ec407eull) - -#define ASCON_HASHA_IV0 WORD_T(0x194c0f180a5d41e4ull) -#define ASCON_HASHA_IV1 WORD_T(0x7faa87825647f3a7ull) -#define ASCON_HASHA_IV2 WORD_T(0x606dbe06db8da430ull) -#define ASCON_HASHA_IV3 WORD_T(0xe0dd6bcf19fbce3bull) -#define ASCON_HASHA_IV4 WORD_T(0x9720dc4446473d8bull) - -#define ASCON_XOF_IV0 WORD_T(0x8a46f0d354e771b8ull) -#define ASCON_XOF_IV1 WORD_T(0x04489f4084368cd0ull) -#define ASCON_XOF_IV2 WORD_T(0x6c94f2150dbcf66cull) -#define ASCON_XOF_IV3 WORD_T(0x48965294f143b44eull) -#define ASCON_XOF_IV4 WORD_T(0x0788515fe0e5fb8aull) - -#define ASCON_XOFA_IV0 WORD_T(0x4ab43d4f16a80d2cull) -#define ASCON_XOFA_IV1 WORD_T(0xd0ae310bf0f619ceull) -#define ASCON_XOFA_IV2 WORD_T(0xc08cf3c801d89cf3ull) -#define ASCON_XOFA_IV3 WORD_T(0x3859d2094dac0b35ull) -#define ASCON_XOFA_IV4 WORD_T(0xd274992be52b5357ull) - -#define START(n) (12 - n) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0x0101010100000000ull)); - ROUND(s, RC(0x0101010000000001ull)); - ROUND(s, RC(0x0101000100000100ull)); - ROUND(s, RC(0x0101000000000101ull)); - ROUND(s, RC(0x0100010100010000ull)); - ROUND(s, RC(0x0100010000010001ull)); - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x0100010100010000ull)); - ROUND(s, RC(0x0100010000010001ull)); - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); -} - -extern const uint64_t constants[12]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) ROUND(s, RC(constants[i])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.c index 6cb5f4d..0de03e6 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%016" PRIx64, s->x[0]); + printf(" x1=%016" PRIx64, s->x[1]); + printf(" x2=%016" PRIx64, s->x[2]); + printf(" x3=%016" PRIx64, s->x[3]); + printf(" x4=%016" PRIx64, s->x[4]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/round.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/bi8/word.h b/ascon/Implementations/crypto_aead/ascon128v12/bi8/word.h index 504568d..706c5c6 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/bi8/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/bi8/word.h @@ -2,20 +2,25 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" #include "interleave.h" typedef union { - uint64_t w; + uint64_t x; + uint32_t w[2]; uint8_t b[8]; } word_t; +#define U64TOWORD(x) interleave8(U64BIG(x)) +#define WORDTOU64(x) U64BIG(interleave8(x)) + forceinline uint8_t ROR8(uint8_t a, int n) { return a >> n | a << (8 - n); } -forceinline word_t ROR(word_t a, int n) { - word_t b; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; b.b[0] = ROR8(a.b[(n + 0) & 0x7], (n + 0) >> 3); b.b[1] = ROR8(a.b[(n + 1) & 0x7], (n + 1) >> 3); b.b[2] = ROR8(a.b[(n + 2) & 0x7], (n + 2) >> 3); @@ -24,57 +29,41 @@ forceinline word_t ROR(word_t a, int n) { b.b[5] = ROR8(a.b[(n + 5) & 0x7], (n + 5) >> 3); b.b[6] = ROR8(a.b[(n + 6) & 0x7], (n + 6) >> 3); b.b[7] = ROR8(a.b[(n + 7) & 0x7], (n + 7) >> 3); - return b; -} - -forceinline word_t WORD_T(uint64_t x) { - word_t w; - w.w = x; - return w; -} - -forceinline uint64_t UINT64_T(word_t w) { - uint64_t x; - x = w.w; - return x; + return b.x; } -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(interleave8(x)); } - -forceinline uint64_t WORDTOU64(word_t w) { return interleave8(UINT64_T(w)); } - -forceinline word_t NOT(word_t a) { - a.w = ~a.w; - return a; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.b[0] = lo2hi.b[0] << 4 | hi2lo.b[0] >> 4; + w.b[1] = lo2hi.b[1] << 4 | hi2lo.b[1] >> 4; + w.b[2] = lo2hi.b[2] << 4 | hi2lo.b[2] >> 4; + w.b[3] = lo2hi.b[3] << 4 | hi2lo.b[3] >> 4; + w.b[4] = lo2hi.b[4] << 4 | hi2lo.b[4] >> 4; + w.b[5] = lo2hi.b[5] << 4 | hi2lo.b[5] >> 4; + w.b[6] = lo2hi.b[6] << 4 | hi2lo.b[6] >> 4; + w.b[7] = lo2hi.b[7] << 4 | hi2lo.b[7] >> 4; + return w.x; } -forceinline word_t XOR(word_t a, word_t b) { - a.w ^= b.w; - return a; -} - -forceinline word_t AND(word_t a, word_t b) { - a.w &= b.w; - return a; -} - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t w; - w.w = lo2hi.w << 32 | hi2lo.w >> 32; - return w; -} - -forceinline int NOTZERO(word_t a, word_t b) { - uint64_t result = a.w | b.w; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return (word_t){.b[7] = 0x80 >> i}; } +forceinline uint64_t PAD(int i) { return (uint64_t)(0x80 >> i) << 56; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 30) | /* 0000x */ + ((len & 0x02) << 37) | /* 000x0 */ + ((len & 0x04) << 44) | /* 00x00 */ + ((len & 0x08) << 51) | /* 0x000 */ + ((len & 0x10) << 58); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ uint8_t m = 0xff >> n; word_t mask = { @@ -87,7 +76,7 @@ forceinline word_t CLEAR(word_t w, int n) { .b[6] = m, .b[7] = m, }; - return AND(w, mask); + return w & mask.x; } forceinline uint64_t MASK(int n) { @@ -95,26 +84,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/api.h b/ascon/Implementations/crypto_aead/ascon128v12/esp32/api.h new file mode 100644 index 0000000..6ad53ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/core.c b/ascon/Implementations/crypto_aead/ascon128v12/esp32/core.c new file mode 100644 index 0000000..e85e458 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/core.c @@ -0,0 +1,112 @@ +#include "core.h" + +#include + +void ascon_duplex(state* s, unsigned char* out, const unsigned char* in, + unsigned long len, u8 mode) { + u32_2 tmp; + + while (len >= RATE) { + tmp.h = ((u32*)in)[0]; + tmp.l = ((u32*)in)[1]; + tmp = ascon_rev8_half(tmp); + s->x0.h ^= tmp.h; + s->x0.l ^= tmp.l; + + if (mode != ASCON_AD) { + ((u32*)out)[0] = U32BIG(s->x0.h); + ((u32*)out)[1] = U32BIG(s->x0.l); + } + if (mode == ASCON_DEC) { + s->x0 = tmp; + } + + P(s, PB_START_ROUND, PB_ROUNDS); + + in += RATE; + out += RATE; + len -= RATE; + } + + u8* bytes = (u8*)&tmp; + memset(bytes, 0, sizeof tmp); + memcpy(bytes, in, len); + bytes[len] ^= 0x80; + + tmp = ascon_rev8_half(tmp); + s->x0.h ^= tmp.h; + s->x0.l ^= tmp.l; + + if (mode != ASCON_AD) { + tmp = ascon_rev8_half(s->x0); + memcpy(out, bytes, len); + } + if (mode == ASCON_DEC) { + memcpy(bytes, in, len); + tmp = ascon_rev8_half(tmp); + s->x0 = tmp; + } +} + +void ascon_core(state* s, unsigned char* out, const unsigned char* in, + unsigned long long tlen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k, u8 mode) { + u32_4 tmp; + u32_2 K0, K1, N0, N1; + + // load key + tmp.words[0].h = ((u32*)k)[0]; + tmp.words[0].l = ((u32*)k)[1]; + tmp.words[1].h = ((u32*)k)[2]; + tmp.words[1].l = ((u32*)k)[3]; + tmp = ascon_rev8(tmp); + K0 = tmp.words[0]; + K1 = tmp.words[1]; + + // load nonce + tmp.words[0].h = ((u32*)npub)[0]; + tmp.words[0].l = ((u32*)npub)[1]; + tmp.words[1].h = ((u32*)npub)[2]; + tmp.words[1].l = ((u32*)npub)[3]; + tmp = ascon_rev8(tmp); + N0 = tmp.words[0]; + N1 = tmp.words[1]; + + // initialization + to_big_immediate(s->x0, IV); + s->x1.h = K0.h; + s->x1.l = K0.l; + s->x2.h = K1.h; + s->x2.l = K1.l; + s->x3.h = N0.h; + s->x3.l = N0.l; + s->x4.h = N1.h; + s->x4.l = N1.l; + P(s, PA_START_ROUND, PA_ROUNDS); + s->x3.h ^= K0.h; + s->x3.l ^= K0.l; + s->x4.h ^= K1.h; + s->x4.l ^= K1.l; + + // process associated data + if (adlen) { + ascon_duplex(s, (void*)0, ad, adlen, ASCON_AD); + P(s, PB_START_ROUND, PB_ROUNDS); + } + s->x4.l ^= 1; + + // process plaintext/ciphertext + ascon_duplex(s, out, in, tlen, mode); + + // finalization + s->x1.h ^= K0.h; + s->x1.l ^= K0.l; + s->x2.h ^= K1.h; + s->x2.l ^= K1.l; + P(s, PA_START_ROUND, PA_ROUNDS); + s->x3.h ^= K0.h; + s->x3.l ^= K0.l; + s->x4.h ^= K1.h; + s->x4.l ^= K1.l; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/core.h b/ascon/Implementations/crypto_aead/ascon128v12/esp32/core.h new file mode 100644 index 0000000..6a16e40 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/core.h @@ -0,0 +1,29 @@ +#ifndef CORE_H_ +#define CORE_H_ + +#include "api.h" +#include "endian.h" +#include "permutations.h" + +#define ASCON_AD 0 +#define ASCON_ENC 1 +#define ASCON_DEC 2 + +#define RATE (64 / 8) +#define PA_ROUNDS 12 +#define PB_ROUNDS 6 +#define PA_START_ROUND 0xf0 +#define PB_START_ROUND 0x96 +#define IV \ + ((u64)(8 * (CRYPTO_KEYBYTES)) << 0 | (u64)(8 * (RATE)) << 8 | \ + (u64)(PA_ROUNDS) << 16 | (u64)(PB_ROUNDS) << 24) + +void process_data(state* s, unsigned char* out, const unsigned char* in, + unsigned long long len, u8 mode); + +void ascon_core(state* s, unsigned char* out, const unsigned char* in, + unsigned long long tlen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k, u8 mode); + +#endif // CORE_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/decrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/esp32/decrypt.c new file mode 100644 index 0000000..2f0e960 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/decrypt.c @@ -0,0 +1,38 @@ +#include "core.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + state s; + u32_4 tmp; + (void)nsec; + + // set plaintext size + *mlen = clen - CRYPTO_ABYTES; + + ascon_core(&s, m, c, *mlen, ad, adlen, npub, k, ASCON_DEC); + + tmp.words[0].h = ((u32*)(c + *mlen))[0]; + tmp.words[0].l = ((u32*)(c + *mlen))[1]; + tmp.words[1].h = ((u32*)(c + *mlen))[2]; + tmp.words[1].l = ((u32*)(c + *mlen))[3]; + tmp = ascon_rev8(tmp); + u32_2 t0 = tmp.words[0]; + u32_2 t1 = tmp.words[1]; + + // verify tag (should be constant time, check compiler output) + if (((s.x3.h ^ t0.h) | (s.x3.l ^ t0.l) | (s.x4.h ^ t1.h) | (s.x4.l ^ t1.l)) != + 0) { + *mlen = 0; + return -1; + } + + return 0; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/esp32/encrypt.c new file mode 100644 index 0000000..8f74e44 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/encrypt.c @@ -0,0 +1,28 @@ +#include "core.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state s; + u32_4 tmp; + (void)nsec; + + // set ciphertext size + *clen = mlen + CRYPTO_ABYTES; + + ascon_core(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENC); + + tmp.words[0] = s.x3; + tmp.words[1] = s.x4; + tmp = ascon_rev8(tmp); + + // set tag + ((u32*)(c + mlen))[0] = tmp.words[0].h; + ((u32*)(c + mlen))[1] = tmp.words[0].l; + ((u32*)(c + mlen))[2] = tmp.words[1].h; + ((u32*)(c + mlen))[3] = tmp.words[1].l; + + return 0; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/esp32/endian.h new file mode 100644 index 0000000..b4d18f5 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/endian.h @@ -0,0 +1,29 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +// macros for big endian machines +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +// macros for little endian machines +#define U64BIG(x) \ + ((((x)&0x00000000000000FFULL) << 56) | (((x)&0x000000000000FF00ULL) << 40) | \ + (((x)&0x0000000000FF0000ULL) << 24) | (((x)&0x00000000FF000000ULL) << 8) | \ + (((x)&0x000000FF00000000ULL) >> 8) | (((x)&0x0000FF0000000000ULL) >> 24) | \ + (((x)&0x00FF000000000000ULL) >> 40) | (((x)&0xFF00000000000000ULL) >> 56)) +#define U32BIG(x) \ + ((((x)&0x000000FF) << 24) | (((x)&0x0000FF00) << 8) | \ + (((x)&0x00FF0000) >> 8) | (((x)&0xFF000000) >> 24)) +#define U16BIG(x) ((((x)&0x00FF) << 8) | (((x)&0xFF00) >> 8)) + +#else +#error "ascon byte order macros not defined in endian.h" +#endif + +#endif // ENDIAN_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/implementors b/ascon/Implementations/crypto_aead/ascon128v12/esp32/implementors new file mode 100644 index 0000000..38a64ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/implementors @@ -0,0 +1,3 @@ +Christoph Dobraunig +Martin Schläffer +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.c new file mode 100644 index 0000000..b6e3010 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.c @@ -0,0 +1,95 @@ +#include "permutations.h" + +#include "endian.h" + +u32_4 ascon_rev8(u32_4 in) { + in.words[0].h = U32BIG(in.words[0].h); + in.words[0].l = U32BIG(in.words[0].l); + in.words[1].h = U32BIG(in.words[1].h); + in.words[1].l = U32BIG(in.words[1].l); + return in; +} + +u32_2 ascon_rev8_half(u32_2 in) { + in.h = U32BIG(in.h); + in.l = U32BIG(in.l); + return in; +} + +#define SBOX(x0, x1, x2, x3, x4, r0, t0, t1, t2) \ + do { \ + t1 = x0 ^ x4; \ + t2 = x3 ^ x4; \ + t0 = -1; \ + x4 = x4 ^ t0; \ + t0 = x1 ^ x2; \ + x4 = x4 | x3; \ + x4 = x4 ^ t0; \ + x3 = x3 ^ x1; \ + x3 = x3 | t0; \ + x3 = x3 ^ t1; \ + x2 = x2 ^ t1; \ + x2 = x2 | x1; \ + x2 = x2 ^ t2; \ + x0 = x0 | t2; \ + x0 = x0 ^ t0; \ + t0 = -1; \ + t1 = t1 ^ t0; \ + x1 = x1 & t1; \ + x1 = x1 ^ t2; \ + r0 = x0; \ + } while (0) + +#define SRC(o, h, l, amt) \ + do { \ + o = (((u64)h << 32) | l) >> amt; \ + } while (0) + +#define LINEAR(dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0) \ + do { \ + SRC(dl, sh0, sl0, r0); \ + SRC(dh, sl0, sh0, r0); \ + dl = dl ^ sl; \ + dh = dh ^ sh; \ + SRC(t0, sh1, sl1, r1); \ + SRC(sh, sl1, sh1, r1); \ + dl = dl ^ t0; \ + dh = dh ^ sh; \ + } while (0) + +void P(state *p, u8 round_const, u8 rounds) { + u32 x0h = p->x0.h, x0l = p->x0.l; + u32 x1h = p->x1.h, x1l = p->x1.l; + u32 x2h = p->x2.h, x2l = p->x2.l; + u32 x3h = p->x3.h, x3l = p->x3.l; + u32 x4h = p->x4.h, x4l = p->x4.l; + u32 t0l, t0h; + u32 rnd = round_const; + u32 tmp0; + + while (rnd >= LAST_ROUND) { + x2l ^= rnd; + + SBOX(x0l, x1l, x2l, x3l, x4l, t0l, t0h, t0l, tmp0); + SBOX(x0h, x1h, x2h, x3h, x4h, t0h, t0h, x0l, tmp0); + + LINEAR(x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, tmp0); + LINEAR(x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, tmp0); + LINEAR(x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, tmp0); + LINEAR(x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, tmp0); + LINEAR(x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, tmp0); + + rnd -= 15; + } + + p->x0.h = x0h; + p->x0.l = x0l; + p->x1.h = x1h; + p->x1.l = x1l; + p->x2.h = x2h; + p->x2.l = x2l; + p->x3.h = x3h; + p->x3.l = x3l; + p->x4.h = x4h; + p->x4.l = x4l; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.h new file mode 100644 index 0000000..2ce8279 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/esp32/permutations.h @@ -0,0 +1,50 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +typedef unsigned char u8; +typedef unsigned int u32; +typedef unsigned long long u64; + +typedef struct { + u32 h; + u32 l; +} u32_2; + +typedef struct { + u32_2 words[2]; +} u32_4; + +typedef struct { + u32_2 x0; + u32_2 x1; + u32_2 x2; + u32_2 x3; + u32_2 x4; +} state; + +#define START_ROUND(x) (12 - (x)) +#define LAST_ROUND 0x4b + +u32_4 ascon_rev8(u32_4 in); +u32_2 ascon_rev8_half(u32_2 in); + +#define to_big_immediate(out, in) \ + do { \ + u64 big_in = U64BIG(in); \ + u32 hi = (big_in) >> 32; \ + u32 lo = (u32)(big_in); \ + out.h = hi; \ + out.l = lo; \ + } while (0) + +#define from_big_immediate(out, in) \ + do { \ + u32 hi = in.h; \ + u32 lo = in.l; \ + out = (u64)hi << 32 | lo; \ + out = U64BIG(out); \ + } while (0) + +void P(state *p, u8 round_const, u8 rounds); + +#endif // PERMUTATIONS_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/api.h b/ascon/Implementations/crypto_aead/ascon128v12/neon/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/neon/ascon.h index f6b6ebc..79dccd5 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/ascon.h @@ -6,7 +6,15 @@ #include "word.h" typedef struct { - word_t x0, x1, x2, x3, x4; + uint64_t x[5]; } state_t; -#endif /* ASCON_H */ +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/neon/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/neon/encrypt.c index 52bec6d..eeaab5f 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/encrypt.c @@ -1,66 +1,306 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define PA_ROUNDS 12 -#define PB_ROUNDS 6 -#define IV \ - ((uint64_t)(8 * (CRYPTO_KEYBYTES)) << 56 | \ - (uint64_t)(8 * (ASCON_RATE)) << 48 | (uint64_t)(PA_ROUNDS) << 40 | \ - (uint64_t)(PB_ROUNDS) << 32) +#define AD(NR, RATE, RS, RA) \ + do { \ + uint32_t adlen_hi = (uint32_t)(adlen >> 32); \ + uint32_t adlen_lo = (uint32_t)adlen; \ + __asm__ __volatile__ ( \ + ".arm \n\t" \ + ".fpu neon \n\t" \ + "cmp %[adlen_hi], #0 \n\t" \ + "cmpeq %[adlen_lo], #(%c[R]-1) \n\t" \ + "bls .LAD1 \n\t" \ + "vldm %[s], {d0-d4} \n\t" \ + ".LAD0: \n\t" \ + "vldm %[ad]!, {" RA "} \n\t" \ + "vrev64.8 " RA ", " RA " \n\t" \ + "veor " RS ", " RS ", " RA " \n\t" \ + "vmvn d2, d2 \n\t" \ + P ## NR ## ROUNDS(s) \ + "vmvn d2, d2 \n\t" \ + "sub %[adlen_lo], %[adlen_lo], #%c[R] \n\t" \ + "sbc %[adlen_hi], %[adlen_hi], #0 \n\t" \ + "cmp %[adlen_hi], #0 \n\t" \ + "cmpeq %[adlen_lo], #(%c[R]-1) \n\t" \ + "bhi .LAD0 \n\t" \ + "vstm %[s], {d0-d4} \n\t" \ + ".LAD1: \n\t" \ + : [adlen_hi] "+r" (adlen_hi), [adlen_lo] "+r" (adlen_lo), \ + [ad] "+r" (ad) \ + : [s] "r" (s), [C] "r" (C), [R] "i" (RATE) \ + : "d0", "d1", "d2", "d3", "d4", \ + "d10", "d11", "d12", "d13", "d14", "d16", "d17", \ + "d20", "d21", "d22", "d23", "d24", \ + "d31", "memory"); \ + adlen = (uint64_t)adlen_hi << 32 | adlen_lo; \ + } while (0) -int crypto_aead_encrypt(uint8_t* c, uint64_t* clen, const uint8_t* m, - uint64_t mlen, const uint8_t* ad, uint64_t adlen, - const uint8_t* nsec, const uint8_t* npub, - const uint8_t* k) { - const uint64_t K0 = U64BIG(*(uint64_t*)k); - const uint64_t K1 = U64BIG(*(uint64_t*)(k + 8)); - const uint64_t N0 = U64BIG(*(uint64_t*)npub); - const uint64_t N1 = U64BIG(*(uint64_t*)(npub + 8)); - state_t s; - uint32_t i; - (void)nsec; +#define PT(NR, RATE, RS, RM, RC) \ + do { \ + uint32_t mlen_hi = (uint32_t)(mlen >> 32); \ + uint32_t mlen_lo = (uint32_t)mlen; \ + __asm__ __volatile__ ( \ + ".arm \n\t" \ + ".fpu neon \n\t" \ + "cmp %[mlen_hi], #0 \n\t" \ + "cmpeq %[mlen_lo], #(%c[R]-1) \n\t" \ + "bls .LPT1 \n\t" \ + "vldm %[s], {d0-d4} \n\t" \ + ".LPT0: \n\t" \ + "vldm %[m]!, {" RM "} \n\t" \ + "vrev64.8 " RM ", " RM " \n\t" \ + "veor " RS ", " RS ", " RM " \n\t" \ + "vrev64.8 " RC ", " RS " \n\t" \ + "vstm %[c]!, {" RC "} \n\t" \ + "vmvn d2, d2 \n\t" \ + P ## NR ## ROUNDS(s) \ + "vmvn d2, d2 \n\t" \ + "sub %[mlen_lo], %[mlen_lo], #%c[R] \n\t" \ + "sbc %[mlen_hi], %[mlen_hi], #0 \n\t" \ + "cmp %[mlen_hi], #0 \n\t" \ + "cmpeq %[mlen_lo], #(%c[R]-1) \n\t" \ + "bhi .LPT0 \n\t" \ + "vstm %[s], {d0-d4} \n\t" \ + ".LPT1: \n\t" \ + : [mlen_hi] "+r" (mlen_hi), [mlen_lo] "+r" (mlen_lo), \ + [m] "+r" (m), [c] "+r" (c) \ + : [s] "r" (s), [C] "r" (C), [R] "i" (RATE) \ + : "d0", "d1", "d2", "d3", "d4", \ + "d10", "d11", "d12", "d13", "d14", "d16", "d17", \ + "d20", "d21", "d22", "d23", "d24", "d26", "d27", \ + "d31", "memory"); \ + mlen = (uint64_t)mlen_hi << 32 | mlen_lo; \ + } while (0) - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; +#define CT(NR, RATE, RS, RM, RC) \ + do { \ + uint32_t clen_hi = (uint32_t)(clen >> 32); \ + uint32_t clen_lo = (uint32_t)clen; \ + __asm__ __volatile__ ( \ + ".arm \n\t" \ + ".fpu neon \n\t" \ + "cmp %[clen_hi], #0 \n\t" \ + "cmpeq %[clen_lo], #(%c[R]-1) \n\t" \ + "bls .LCT1 \n\t" \ + "vldm %[s], {d0-d4} \n\t" \ + ".LCT0: \n\t" \ + "vldm %[c]!, {" RC "} \n\t" \ + "vrev64.8 " RM ", " RS " \n\t" \ + "veor " RM ", " RM ", " RC " \n\t" \ + "vrev64.8 " RS ", " RC " \n\t" \ + "vstm %[m]!, {" RM "} \n\t" \ + "vmvn d2, d2 \n\t" \ + P ## NR ## ROUNDS(s) \ + "vmvn d2, d2 \n\t" \ + "sub %[clen_lo], %[clen_lo], #%c[R] \n\t" \ + "sbc %[clen_hi], %[clen_hi], #0 \n\t" \ + "cmp %[clen_hi], #0 \n\t" \ + "cmpeq %[clen_lo], #(%c[R]-1) \n\t" \ + "bhi .LCT0 \n\t" \ + "vstm %[s], {d0-d4} \n\t" \ + ".LCT1: \n\t" \ + : [clen_hi] "+r" (clen_hi), [clen_lo] "+r" (clen_lo), \ + [m] "+r" (m), [c] "+r" (c) \ + : [s] "r" (s), [C] "r" (C), [R] "i" (RATE) \ + : "d0", "d1", "d2", "d3", "d4", \ + "d10", "d11", "d12", "d13", "d14", "d16", "d17", \ + "d20", "d21", "d22", "d23", "d24", "d26", "d27", \ + "d31", "memory"); \ + clen = (uint64_t)clen_hi << 32 | clen_lo; \ + } while (0) + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif - /* initialization */ - s.x0 = IV; - s.x1 = K0; - s.x2 = K1; - s.x3 = N0; - s.x4 = N1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +#ifdef ASCON_AEAD_RATE - /* process associated data */ +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - AD(); - for (i = 0; i < adlen; ++i, ++ad) s.x0 ^= SETBYTE(*ad, i); - s.x0 ^= SETBYTE(0x80, adlen); - P6(); + /* full associated data blocks */ +#if ASCON_AEAD_RATE == 8 + AD(6, 8, "d0", "d16"); +#else + AD(8, 16, "q0", "q8"); +#endif + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ +#if ASCON_AEAD_RATE == 8 + PT(6, 8, "d0", "d16", "d26"); +#else + PT(8, 16, "q0", "q8", "q13"); +#endif + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); } - s.x4 ^= 1; + printstate("pad plaintext", s); +} - /* process plaintext */ - PT(); - for (i = 0; i < mlen; ++i, ++m, ++c) { - s.x0 ^= SETBYTE(*m, i); - *c = GETBYTE(s.x0, i); +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ +#if ASCON_AEAD_RATE == 8 + CT(6, 8, "d0", "d16", "d26"); +#else + CT(8, 16, "q0", "q8", "q13"); +#endif + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; } - s.x0 ^= SETBYTE(0x80, mlen); + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - /* finalization */ - s.x1 ^= K0; - s.x2 ^= K1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); /* set tag */ - *(uint64_t*)c = U64BIG(s.x3); - *(uint64_t*)(c + 8) = U64BIG(s.x4); - + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/neon/permutations.h index 9ba4c44..01411b6 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/permutations.h @@ -6,43 +6,10 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - const uint64_t C[12] = { 0xffffffffffffff0full, 0xffffffffffffff1eull, 0xffffffffffffff2dull, 0xffffffffffffff3cull, 0xffffffffffffff4bull, 0xffffffffffffff5aull, diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/round.h b/ascon/Implementations/crypto_aead/ascon128v12/neon/round.h index 8a9a987..d50e45d 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/round.h @@ -4,64 +4,48 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -/* clang-format off */ -#define ROUND(OFFSET) \ - "vldr d31, [%[C], #" #OFFSET "] \n\t" \ - "veor d0, d0, d4 \n\t" \ - "veor d4, d4, d3 \n\t" \ - "veor d2, d2, d31 \n\t" \ - "vbic d13, d0, d4 \n\t" \ - "vbic d12, d4, d3 \n\t" \ - "veor d2, d2, d1 \n\t" \ - "vbic d14, d1, d0 \n\t" \ - "vbic d11, d3, d2 \n\t" \ - "vbic d10, d2, d1 \n\t" \ - "veor q0, q0, q5 \n\t" \ - "veor q1, q1, q6 \n\t" \ - "veor d4, d4, d14 \n\t" \ - "veor d1, d1, d0 \n\t" \ - "veor d3, d3, d2 \n\t" \ - "veor d0, d0, d4 \n\t" \ - "vsri.64 d14, d4, #7 \n\t" \ - "vsri.64 d24, d4, #41 \n\t" \ - "vsri.64 d11, d1, #39 \n\t" \ - "vsri.64 d21, d1, #61 \n\t" \ - "vsri.64 d10, d0, #19 \n\t" \ - "vsri.64 d20, d0, #28 \n\t" \ - "vsri.64 d12, d2, #1 \n\t" \ - "vsri.64 d22, d2, #6 \n\t" \ - "vsri.64 d13, d3, #10 \n\t" \ - "vsri.64 d23, d3, #17 \n\t" \ - "vsli.64 d10, d0, #45 \n\t" \ - "vsli.64 d20, d0, #36 \n\t" \ - "vsli.64 d11, d1, #25 \n\t" \ - "vsli.64 d21, d1, #3 \n\t" \ - "vsli.64 d12, d2, #63 \n\t" \ - "vsli.64 d22, d2, #58 \n\t" \ - "vsli.64 d13, d3, #54 \n\t" \ - "vsli.64 d23, d3, #47 \n\t" \ - "vsli.64 d14, d4, #57 \n\t" \ - "vsli.64 d24, d4, #23 \n\t" \ - "veor q5, q5, q0 \n\t" \ - "veor q6, q6, q1 \n\t" \ - "veor d14, d14, d4 \n\t" \ - "veor q0, q5, q10 \n\t" \ - "veor d4, d14, d24 \n\t" \ +#define ROUND(OFFSET) /* clang-format off */ \ + "vldr d31, [%[C], #" #OFFSET "] \n\t" /* clang-format on */ \ + "veor d0, d0, d4 \n\t" \ + "veor d4, d4, d3 \n\t" \ + "veor d2, d2, d31 \n\t" \ + "vbic d13, d0, d4 \n\t" \ + "vbic d12, d4, d3 \n\t" \ + "veor d2, d2, d1 \n\t" \ + "vbic d14, d1, d0 \n\t" \ + "vbic d11, d3, d2 \n\t" \ + "vbic d10, d2, d1 \n\t" \ + "veor q0, q0, q5 \n\t" \ + "veor q1, q1, q6 \n\t" \ + "veor d4, d4, d14 \n\t" \ + "veor d1, d1, d0 \n\t" \ + "veor d3, d3, d2 \n\t" \ + "veor d0, d0, d4 \n\t" \ + "vsri.64 d14, d4, #7 \n\t" \ + "vsri.64 d24, d4, #41 \n\t" \ + "vsri.64 d11, d1, #39 \n\t" \ + "vsri.64 d21, d1, #61 \n\t" \ + "vsri.64 d10, d0, #19 \n\t" \ + "vsri.64 d20, d0, #28 \n\t" \ + "vsri.64 d12, d2, #1 \n\t" \ + "vsri.64 d22, d2, #6 \n\t" \ + "vsri.64 d13, d3, #10 \n\t" \ + "vsri.64 d23, d3, #17 \n\t" \ + "vsli.64 d10, d0, #45 \n\t" \ + "vsli.64 d20, d0, #36 \n\t" \ + "vsli.64 d11, d1, #25 \n\t" \ + "vsli.64 d21, d1, #3 \n\t" \ + "vsli.64 d12, d2, #63 \n\t" \ + "vsli.64 d22, d2, #58 \n\t" \ + "vsli.64 d13, d3, #54 \n\t" \ + "vsli.64 d23, d3, #47 \n\t" \ + "vsli.64 d14, d4, #57 \n\t" \ + "vsli.64 d24, d4, #23 \n\t" \ + "veor q5, q5, q0 \n\t" \ + "veor q6, q6, q1 \n\t" \ + "veor d14, d14, d4 \n\t" \ + "veor q0, q5, q10 \n\t" \ + "veor d4, d14, d24 \n\t" \ "veor q1, q6, q11 \n\t" -/* clang-format on */ #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/neon/word.h b/ascon/Implementations/crypto_aead/ascon128v12/neon/word.h index 8e28f6d..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/neon/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/neon/word.h @@ -2,36 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -/* get byte from Ascon 64-bit word */ -#define GETBYTE(x, i) ((uint8_t)((uint64_t)(x) >> (56 - 8 * (i)))) +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -/* set byte in Ascon 64-bit word */ -#define SETBYTE(b, i) ((uint64_t)(b) << (56 - 8 * (i))) - -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } - -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -39,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -52,29 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; -} - -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -static inline uint64_t CLEARBYTES(uint64_t x, int n) { - for (int i = 0; i < n; ++i) x &= ~SETBYTE(0xff, i); - return x; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/api.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/config.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/config.h new file mode 100644 index 0000000..9e814e0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/implementors b/ascon/Implementations/crypto_aead/ascon128v12/opt32/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/round.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/round.h new file mode 100644 index 0000000..1ecc93d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + s->x[2] = ~s->x[2]; + /* linear layer */ + s->x[0] ^= + (s->x[0] >> 19) ^ (s->x[0] << 45) ^ (s->x[0] >> 28) ^ (s->x[0] << 36); + s->x[1] ^= + (s->x[1] >> 61) ^ (s->x[1] << 3) ^ (s->x[1] >> 39) ^ (s->x[1] << 25); + s->x[2] ^= + (s->x[2] >> 1) ^ (s->x[2] << 63) ^ (s->x[2] >> 6) ^ (s->x[2] << 58); + s->x[3] ^= + (s->x[3] >> 10) ^ (s->x[3] << 54) ^ (s->x[3] >> 17) ^ (s->x[3] << 47); + s->x[4] ^= + (s->x[4] >> 7) ^ (s->x[4] << 57) ^ (s->x[4] >> 41) ^ (s->x[4] << 23); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32/word.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/api.h new file mode 100644 index 0000000..2c7f738 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/round.h new file mode 100644 index 0000000..1ecc93d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + s->x[2] = ~s->x[2]; + /* linear layer */ + s->x[0] ^= + (s->x[0] >> 19) ^ (s->x[0] << 45) ^ (s->x[0] >> 28) ^ (s->x[0] << 36); + s->x[1] ^= + (s->x[1] >> 61) ^ (s->x[1] << 3) ^ (s->x[1] >> 39) ^ (s->x[1] << 25); + s->x[2] ^= + (s->x[2] >> 1) ^ (s->x[2] << 63) ^ (s->x[2] >> 6) ^ (s->x[2] << 58); + s->x[3] ^= + (s->x[3] >> 10) ^ (s->x[3] << 54) ^ (s->x[3] >> 17) ^ (s->x[3] << 47); + s->x[4] ^= + (s->x[4] >> 7) ^ (s->x[4] << 57) ^ (s->x[4] >> 41) ^ (s->x[4] << 23); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt32_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/api.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64/encrypt.c index 0c9744c..631e60c 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/encrypt.c @@ -1,80 +1,220 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define RATE (64 / 8) -#define PA_ROUNDS 12 -#define PB_ROUNDS 6 -#define IV \ - ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \ - (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32) +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { - const u64 K0 = U64BIG(*(u64*)k); - const u64 K1 = U64BIG(*(u64*)(k + 8)); - const u64 N0 = U64BIG(*(u64*)npub); - const u64 N1 = U64BIG(*(u64*)(npub + 8)); - state s; - u64 i; - (void)nsec; +#ifdef ASCON_AEAD_RATE - // set ciphertext size - *clen = mlen + CRYPTO_ABYTES; +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - // initialization - s.x0 = IV; - s.x1 = K0; - s.x2 = K1; - s.x3 = N0; - s.x4 = N1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - // process associated data +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - while (adlen >= RATE) { - s.x0 ^= U64BIG(*(u64*)ad); - P6(); - adlen -= RATE; - ad += RATE; + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; } - for (i = 0; i < adlen; ++i, ++ad) s.x0 ^= INS_BYTE64(*ad, i); - s.x0 ^= INS_BYTE64(0x80, adlen); - P6(); + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - s.x4 ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - // process plaintext - while (mlen >= RATE) { - s.x0 ^= U64BIG(*(u64*)m); - *(u64*)c = U64BIG(s.x0); - P6(); - mlen -= RATE; - m += RATE; - c += RATE; +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; } - for (i = 0; i < mlen; ++i, ++m, ++c) { - s.x0 ^= INS_BYTE64(*m, i); - *c = EXT_BYTE64(s.x0, i); + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; } - s.x0 ^= INS_BYTE64(0x80, mlen); + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} - // finalization - s.x1 ^= K0; - s.x2 ^= K1; - P12(); - s.x3 ^= K0; - s.x4 ^= K1; +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - // set tag - *(u64*)c = U64BIG(s.x3); - *(u64*)(c + 8) = U64BIG(s.x4); +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/round.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64/round.h index cd8ec34..e5ceb5a 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/round.h @@ -4,49 +4,43 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint8_t C) { state_t t; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - t.x0 = XOR(s->x0, AND(NOT(s->x1), s->x2)); - t.x2 = XOR(s->x2, AND(NOT(s->x3), s->x4)); - t.x4 = XOR(s->x4, AND(NOT(s->x0), s->x1)); - t.x1 = XOR(s->x1, AND(NOT(s->x2), s->x3)); - t.x3 = XOR(s->x3, AND(NOT(s->x4), s->x0)); - t.x1 = XOR(t.x1, t.x0); - t.x3 = XOR(t.x3, t.x2); - t.x0 = XOR(t.x0, t.x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; /* linear layer */ - s->x2 = XOR(t.x2, ROR(t.x2, 6 - 1)); - s->x3 = XOR(t.x3, ROR(t.x3, 17 - 10)); - s->x4 = XOR(t.x4, ROR(t.x4, 41 - 7)); - s->x0 = XOR(t.x0, ROR(t.x0, 28 - 19)); - s->x1 = XOR(t.x1, ROR(t.x1, 61 - 39)); - s->x2 = XOR(t.x2, ROR(s->x2, 1)); - s->x3 = XOR(t.x3, ROR(s->x3, 10)); - s->x4 = XOR(t.x4, ROR(s->x4, 7)); - s->x0 = XOR(t.x0, ROR(s->x0, 19)); - s->x1 = XOR(t.x1, ROR(s->x1, 39)); - s->x2 = NOT(s->x2); + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64/word.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/ascon.h index 471e4a5..70a4dee 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/ascon.h @@ -5,10 +5,20 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + #define ASCON_ABSORB 0x1 #define ASCON_SQUEEZE 0x2 #define ASCON_INSERT 0x4 @@ -19,8 +29,8 @@ typedef struct { void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode); -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, const uint8_t* ad, uint64_t adlen, const uint8_t* npub, const uint8_t* k, uint8_t mode); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/config.h index a4f5879..f5873d0 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/config.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 0 +#define ASCON_INLINE_MODE 1 #endif /* inline all permutations */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/encrypt.c index 4a5b335..c6100f6 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/encrypt.c @@ -1,26 +1,95 @@ #include "api.h" #include "ascon.h" -#include "crypto_aead.h" #include "permutations.h" #include "printstate.h" -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, - const uint8_t* ad, uint64_t adlen, const uint8_t* npub, - const uint8_t* k, uint8_t mode); +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ state_t s; - (void)nsec; - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; - /* ascon encryption */ - ascon_aead(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); - /* set tag */ - STOREBYTES(c + mlen, s.x3, 8); - STOREBYTES(c + mlen + 8, s.x4, 8); - return 0; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/round.h index b4635a6..afdf76e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/update.c index 7a4baa8..b81b24e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/update.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/update.c @@ -3,30 +3,75 @@ #include "permutations.h" #include "printstate.h" +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode) { - const int rate = 8; - const int nr = 6; - word_t tmp0; - int n = 0; - while (len) { - /* determine block size */ - n = len < rate ? len : rate; +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { /* absorb data */ - tmp0 = LOAD(in, n); - s->x0 = XOR(s->x0, tmp0); +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } /* extract data */ - if (mode & ASCON_SQUEEZE) STORE(out, s->x0, n); + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } /* insert data */ if (mode & ASCON_INSERT) { - s->x0 = CLEAR(s->x0, n); - s->x0 = XOR(s->x0, tmp0); + s->x[i] = tmp; + printstate("insert ciphertext", s); } /* compute permutation for full blocks */ - if (n == rate) P(s, nr); - in += n; - out += n; - len -= n; +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; } - s->x0 = XOR(s->x0, PAD(n % 8)); + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt64_lowsize/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/api.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/config.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/config.h index f5873d0..a4f5879 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/config.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 1 +#define ASCON_INLINE_MODE 0 #endif /* inline all permutations */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/opt8/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/round.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/round.h index b4635a6..c059bbc 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/round.h @@ -4,50 +4,61 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); +forceinline void LINEAR_LAYER(state_t* s, uint64_t xtemp) { + uint64_t temp; + temp = s->x[2] ^ ROR(s->x[2], 28 - 19); + s->x[0] = s->x[2] ^ ROR(temp, 19); + temp = s->x[4] ^ ROR(s->x[4], 6 - 1); + s->x[2] = s->x[4] ^ ROR(temp, 1); + temp = s->x[1] ^ ROR(s->x[1], 41 - 7); + s->x[4] = s->x[1] ^ ROR(temp, 7); + temp = s->x[3] ^ ROR(s->x[3], 61 - 39); + s->x[1] = s->x[3] ^ ROR(temp, 39); + temp = xtemp ^ ROR(xtemp, 17 - 10); + s->x[3] = xtemp ^ ROR(temp, 10); } -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); +forceinline void NONLINEAR_LAYER(state_t* s, word_t* xtemp, uint8_t pos) { + uint8_t t0; + uint8_t t1; + uint8_t t2; + // Based on the round description of Ascon given in the Bachelor's thesis: + //"Optimizing Ascon on RISC-V" of Lars Jellema + // see https://github.com/Lucus16/ascon-riscv/ + t0 = XOR8(s->b[1][pos], s->b[2][pos]); + t1 = XOR8(s->b[0][pos], s->b[4][pos]); + t2 = XOR8(s->b[3][pos], s->b[4][pos]); + s->b[4][pos] = OR8(s->b[3][pos], NOT8(s->b[4][pos])); + s->b[4][pos] = XOR8(s->b[4][pos], t0); + s->b[3][pos] = XOR8(s->b[3][pos], s->b[1][pos]); + s->b[3][pos] = OR8(s->b[3][pos], t0); + s->b[3][pos] = XOR8(s->b[3][pos], t1); + s->b[2][pos] = XOR8(s->b[2][pos], t1); + s->b[2][pos] = OR8(s->b[2][pos], s->b[1][pos]); + s->b[2][pos] = XOR8(s->b[2][pos], t2); + s->b[1][pos] = AND8(s->b[1][pos], NOT8(t1)); + s->b[1][pos] = XOR8(s->b[1][pos], t2); + s->b[0][pos] = OR8(s->b[0][pos], t2); + (*xtemp).b[pos] = XOR8(s->b[0][pos], t0); } -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint8_t C) { word_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->b[2][0] = XOR8(s->b[2][0], C); /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + for (uint8_t i = 0; i < 8; i++) NONLINEAR_LAYER(s, &xtemp, i); /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + LINEAR_LAYER(s, xtemp.x); printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/opt8/word.h b/ascon/Implementations/crypto_aead/ascon128v12/opt8/word.h index cda2e83..4fd3cf0 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/opt8/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/opt8/word.h @@ -2,17 +2,19 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" typedef union { - uint64_t w; + uint64_t x; + uint32_t w[2]; uint8_t b[8]; } word_t; -#define U64TOWORD WORD_T -#define WORDTOU64 UINT64_T +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) #define XMUL(i, x) \ do { \ @@ -21,8 +23,8 @@ typedef union { b.b[(byte_rol + (i) + 1) & 0x7] ^= tmp >> 8; \ } while (0) -forceinline word_t ROR(word_t a, int n) { - word_t b = {.w = 0ull}; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t a = {.x = x}, b = {.x = 0ull}; int bit_rol = (64 - n) & 0x7; int byte_rol = (64 - n) >> 3; uint16_t tmp; @@ -34,73 +36,63 @@ forceinline word_t ROR(word_t a, int n) { XMUL(5, bit_rol); XMUL(6, bit_rol); XMUL(7, bit_rol); - return b; + return b.x; } -forceinline word_t WORD_T(uint64_t x) { return (word_t){.w = x}; } +forceinline uint8_t NOT8(uint8_t a) { return ~a; } -forceinline uint64_t UINT64_T(word_t w) { return w.w; } +forceinline uint8_t XOR8(uint8_t a, uint8_t b) { return a ^ b; } -forceinline word_t NOT(word_t a) { - a.w = ~a.w; - return a; -} - -forceinline word_t XOR(word_t a, word_t b) { - a.w ^= b.w; - return a; -} +forceinline uint8_t AND8(uint8_t a, uint8_t b) { return a & b; } -forceinline word_t AND(word_t a, word_t b) { - a.w &= b.w; - return a; -} +forceinline uint8_t OR8(uint8_t a, uint8_t b) { return a | b; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - return (word_t){.w = lo2hi.w << 32 | hi2lo.w >> 32}; +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { - uint64_t result = a.w | b.w; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return WORD_T(0x80ull << (56 - 8 * i)); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } -forceinline uint64_t MASK(int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - return ~0ull >> (64 - 8 * n); + uint64_t mask = ~0ull >> (8 * n); + return w & mask; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); - return AND(w, WORD_T(mask)); + return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/api.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/api.h new file mode 100644 index 0000000..75aa1cf --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/api.h @@ -0,0 +1,31 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 + +#ifndef ASCON_ROR_SHARES +#define ASCON_ROR_SHARES 5 +#endif + +#ifndef NUM_SHARES_M +#define NUM_SHARES_M 2 +#endif + +#ifndef NUM_SHARES_C +#define NUM_SHARES_C 2 +#endif + +#ifndef NUM_SHARES_AD +#define NUM_SHARES_AD 2 +#endif + +#ifndef NUM_SHARES_NPUB +#define NUM_SHARES_NPUB 2 +#endif + +#ifndef NUM_SHARES_KEY +#define NUM_SHARES_KEY 2 +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/architectures b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/ascon.h new file mode 100644 index 0000000..7f8ad51 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/ascon.h @@ -0,0 +1,28 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "shares.h" +#include "word.h" + +typedef struct { + word_t x[6]; +} state_t; + +void ascon_initaead(state_t* s, const mask_npub_uint32_t* n, + const mask_key_uint32_t* k); +void ascon_adata(state_t* s, const mask_ad_uint32_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, mask_c_uint32_t* c, const mask_m_uint32_t* m, + uint64_t mlen); +void ascon_decrypt(state_t* s, mask_m_uint32_t* m, const mask_c_uint32_t* c, + uint64_t clen); +void ascon_final(state_t* s, const mask_key_uint32_t* k); +void ascon_settag(state_t* s, mask_c_uint32_t* t); +int ascon_verify(state_t* s, const mask_c_uint32_t* t); + +void ascon_level_adata(state_t* s); +void ascon_level_encdec(state_t* s); +void ascon_level_final(state_t* s); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/asm.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/asm.h new file mode 100644 index 0000000..ea94bb7 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/asm.h @@ -0,0 +1,55 @@ +#ifndef ASM_H_ +#define ASM_H_ + +#ifndef __GNUC__ +#define __asm__ asm +#endif + +#define LDR(rd, ptr, offset) \ + __asm__ volatile("ldr %0, [%1, %2]\n\t" : "=r"(rd) : "r"(ptr), "ri"(offset)) + +#define STR(rd, ptr, offset) \ + __asm__ volatile("str %0, [%1, %2]\n\t" ::"r"(rd), "r"(ptr), "ri"(offset) \ + : "memory") + +#define CLEAR() \ + do { \ + uint32_t r, v = 0; \ + __asm__ volatile("mov %0, %1\n\t" : "=r"(r) : "i"(v)); \ + } while (0) + +#define MOVI(rd, imm) __asm__ volatile("mov %0, %1\n\t" : "=r"(rd) : "i"(imm)) + +#define RORI(rd, rn, imm) \ + __asm__ volatile("ror %0, %1, #%c2\n\t" : "=r"(rd) : "r"(rn), "i"(imm)) + +#define EOR_ROR(rd, rn, rm, imm) \ + __asm__ volatile("eor %0, %1, %2, ror #%c3\n\t" \ + : "=r"(rd) \ + : "r"(rn), "r"(rm), "i"(imm)) + +#define EOR_AND_ROR(ce, ae, be, imm, tmp) \ + __asm__ volatile( \ + "and %[tmp_], %[ae_], %[be_], ror %[i1_]\n\t" \ + "eor %[ce_], %[tmp_], %[ce_]\n\t" \ + : [ ce_ ] "+r"(ce), [ tmp_ ] "=r"(tmp) \ + : [ ae_ ] "r"(ae), [ be_ ] "r"(be), [ i1_ ] "i"(ROT(imm)) \ + :) + +#define EOR_BIC_ROR(ce, ae, be, imm, tmp) \ + __asm__ volatile( \ + "bic %[tmp_], %[ae_], %[be_], ror %[i1_]\n\t" \ + "eor %[ce_], %[tmp_], %[ce_]\n\t" \ + : [ ce_ ] "+r"(ce), [ tmp_ ] "=r"(tmp) \ + : [ ae_ ] "r"(ae), [ be_ ] "r"(be), [ i1_ ] "i"(ROT(imm)) \ + :) + +#define EOR_ORR_ROR(ce, ae, be, imm, tmp) \ + __asm__ volatile( \ + "orr %[tmp_], %[ae_], %[be_], ror %[i1_]\n\t" \ + "eor %[ce_], %[tmp_], %[ce_]\n\t" \ + : [ ce_ ] "+r"(ce), [ tmp_ ] "=r"(tmp) \ + : [ ae_ ] "r"(ae), [ be_ ] "r"(be), [ i1_ ] "i"(ROT(imm)) \ + :) + +#endif // ASM_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/config.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/config.h new file mode 100644 index 0000000..6218a8a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/config.h @@ -0,0 +1,37 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +#include "api.h" + +/* extern bit interleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +/* number of PA rounds */ +#ifndef ASCON_PA_ROUNDS +#define ASCON_PA_ROUNDS 12 +#endif + +/* number of PB rounds */ +#ifndef ASCON_PB_ROUNDS +#define ASCON_PB_ROUNDS 6 +#endif + +#if NUM_SHARES_M != NUM_SHARES_KEY +#error "NUM_SHARES_M != NUM_SHARES_KEY currently not supported" +#endif + +#if NUM_SHARES_C != NUM_SHARES_M +#error "NUM_SHARES_C != NUM_SHARES_M currently not supported" +#endif + +#if NUM_SHARES_AD != NUM_SHARES_M +#error "NUM_SHARES_AD != NUM_SHARES_M currently not supported" +#endif + +#if NUM_SHARES_NPUB != NUM_SHARES_KEY +#error "NUM_SHARES_NPUB != NUM_SHARES_KEY currently not supported" +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.c new file mode 100644 index 0000000..13bb289 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.c @@ -0,0 +1,5 @@ +#include "constants.h" + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.h new file mode 100644 index 0000000..fda3a6c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) constants[2 * i + 1], constants[2 * i + 0] + +#define START(n) (12 - (n)) +#define INC 1 +#define END 12 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead.c new file mode 100644 index 0000000..a6e867f --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead.c @@ -0,0 +1,73 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "crypto_aead_shared.h" + +#ifdef SS_VER +#include "hal.h" +#else +#define trigger_high() +#define trigger_low() +#endif + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* a, unsigned long long alen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + /* dynamic allocation of input/output shares */ + mask_key_uint32_t* ks = malloc(sizeof(*ks) * NUM_WORDS(CRYPTO_KEYBYTES)); + mask_npub_uint32_t* ns = malloc(sizeof(*ns) * NUM_WORDS(CRYPTO_NPUBBYTES)); + mask_ad_uint32_t* as = malloc(sizeof(*as) * NUM_WORDS(alen)); + mask_m_uint32_t* ms = malloc(sizeof(*ms) * NUM_WORDS(mlen)); + mask_c_uint32_t* cs = malloc(sizeof(*cs) * NUM_WORDS(mlen + CRYPTO_ABYTES)); + /* mask plain input data */ + generate_shares_encrypt(m, ms, mlen, a, as, alen, npub, ns, k, ks); + /* call shared interface of ascon encrypt */ + trigger_high(); + crypto_aead_encrypt_shared(cs, clen, ms, mlen, as, alen, ns, ks); + trigger_low(); + /* unmask shared output data */ + combine_shares_encrypt(cs, c, *clen); + /* free shares */ + free(ks); + free(ns); + free(as); + free(ms); + free(cs); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* a, + unsigned long long alen, const unsigned char* npub, + const unsigned char* k) { + int result = 0; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* dynamic allocation of input/output shares */ + mask_key_uint32_t* ks = malloc(sizeof(*ks) * NUM_WORDS(CRYPTO_KEYBYTES)); + mask_npub_uint32_t* ns = malloc(sizeof(*ns) * NUM_WORDS(CRYPTO_NPUBBYTES)); + mask_ad_uint32_t* as = malloc(sizeof(*as) * NUM_WORDS(alen)); + mask_m_uint32_t* ms = malloc(sizeof(*ms) * NUM_WORDS(clen - CRYPTO_ABYTES)); + mask_c_uint32_t* cs = malloc(sizeof(*cs) * NUM_WORDS(clen)); + /* mask plain input data */ + generate_shares_decrypt(c, cs, clen, a, as, alen, npub, ns, k, ks); + /* call shared interface of ascon decrypt */ + trigger_high(); + result = crypto_aead_decrypt_shared(ms, mlen, cs, clen, as, alen, ns, ks); + trigger_low(); + /* unmask shared output data */ + combine_shares_decrypt(ms, m, *mlen); + /* free shares */ + free(ks); + free(ns); + free(as); + free(ms); + free(cs); + return result; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.c new file mode 100644 index 0000000..c37ee77 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.c @@ -0,0 +1,40 @@ +#include "crypto_aead_shared.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "shares.h" + +int crypto_aead_encrypt_shared(mask_c_uint32_t* cs, unsigned long long* clen, + const mask_m_uint32_t* ms, + unsigned long long mlen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks) { + state_t s; + *clen = mlen + CRYPTO_ABYTES; + ascon_initaead(&s, npubs, ks); + ascon_adata(&s, ads, adlen); + ascon_encrypt(&s, cs, ms, mlen); + ascon_final(&s, ks); + ascon_settag(&s, cs + NUM_WORDS(mlen)); + return 0; +} + +int crypto_aead_decrypt_shared(mask_m_uint32_t* ms, unsigned long long* mlen, + const mask_c_uint32_t* cs, + unsigned long long clen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks) { + state_t s; + *mlen = clen - CRYPTO_ABYTES; + ascon_initaead(&s, npubs, ks); + ascon_adata(&s, ads, adlen); + ascon_decrypt(&s, ms, cs, *mlen); + ascon_final(&s, ks); + return ascon_verify(&s, cs + NUM_WORDS(*mlen)); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.h new file mode 100644 index 0000000..c9d7b5c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/crypto_aead_shared.h @@ -0,0 +1,17 @@ +#include "shares.h" + +int crypto_aead_encrypt_shared(mask_c_uint32_t* cs, unsigned long long* clen, + const mask_m_uint32_t* ms, + unsigned long long mlen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks); + +int crypto_aead_decrypt_shared(mask_m_uint32_t* ms, unsigned long long* mlen, + const mask_c_uint32_t* cs, + unsigned long long clen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/encrypt.c new file mode 100644 index 0000000..82a0085 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/encrypt.c @@ -0,0 +1,195 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +void ascon_initaead(state_t* s, const mask_npub_uint32_t* n, + const mask_key_uint32_t* k) { + word_t N0, N1; + word_t K1, K2; + /* randomize the initial state */ + s->x[5] = MZERO(NUM_SHARES_KEY); + s->x[0] = MZERO(NUM_SHARES_KEY); + /* set the initial value */ + s->x[0].s[0].w[0] ^= 0x08220000; + s->x[0].s[0].w[1] ^= 0x80210000; + /* set the nonce */ + s->x[3] = N0 = MLOAD((uint32_t*)n, NUM_SHARES_NPUB); + s->x[4] = N1 = MLOAD((uint32_t*)(n + 2), NUM_SHARES_NPUB); + /* first key xor */ + s->x[1] = K1 = MLOAD((uint32_t*)k, NUM_SHARES_KEY); + s->x[2] = K2 = MLOAD((uint32_t*)(k + 2), NUM_SHARES_KEY); + printstate("init 1st key xor", s, NUM_SHARES_KEY); + /* compute the permutation */ + P(s, ASCON_PA_ROUNDS, NUM_SHARES_KEY); + /* second key xor */ + s->x[3] = MXOR(s->x[3], K1, NUM_SHARES_KEY); + s->x[4] = MXOR(s->x[4], K2, NUM_SHARES_KEY); + printstate("init 2nd key xor", s, NUM_SHARES_KEY); +} + +void ascon_adata(state_t* s, const mask_ad_uint32_t* ad, uint64_t adlen) { + const int nr = ASCON_PB_ROUNDS; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + word_t as = MLOAD((uint32_t*)ad, NUM_SHARES_AD); + s->x[0] = MXOR(s->x[0], as, NUM_SHARES_AD); + printstate("absorb adata", s, NUM_SHARES_AD); + P(s, nr, NUM_SHARES_AD); + adlen -= ASCON_AEAD_RATE; + ad += 2; + } + /* final associated data block */ + s->x[0].s[0].w[1] ^= 0x80000000 >> (adlen * 4); + if (adlen) { + word_t as = MLOAD((uint32_t*)ad, NUM_SHARES_AD); + s->x[0] = MXOR(s->x[0], as, NUM_SHARES_AD); + } + printstate("pad adata", s, NUM_SHARES_AD); + P(s, nr, NUM_SHARES_AD); + } + /* domain separation */ + s->x[4].s[0].w[0] ^= 1; + printstate("domain separation", s, NUM_SHARES_AD); +} + +void ascon_encrypt(state_t* s, mask_c_uint32_t* c, const mask_m_uint32_t* m, + uint64_t mlen) { + const int nr = ASCON_PB_ROUNDS; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + word_t ms = MLOAD((uint32_t*)m, NUM_SHARES_M); + s->x[0] = MXOR(s->x[0], ms, NUM_SHARES_M); + MSTORE((uint32_t*)c, s->x[0], NUM_SHARES_C); + printstate("absorb plaintext", s, NUM_SHARES_M); + P(s, nr, NUM_SHARES_M); + mlen -= ASCON_AEAD_RATE; + m += 2; + c += 2; + } + /* final plaintext block */ + s->x[0].s[0].w[1] ^= 0x80000000 >> (mlen * 4); + if (mlen) { + word_t ms = MLOAD((uint32_t*)m, NUM_SHARES_M); + s->x[0] = MXOR(s->x[0], ms, NUM_SHARES_M); + MSTORE((uint32_t*)c, s->x[0], NUM_SHARES_C); + } + printstate("pad plaintext", s, NUM_SHARES_M); +} + +void ascon_decrypt(state_t* s, mask_m_uint32_t* m, const mask_c_uint32_t* c, + uint64_t clen) { + const int nr = ASCON_PB_ROUNDS; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + word_t cx = MLOAD((uint32_t*)c, NUM_SHARES_C); + s->x[0] = MXOR(s->x[0], cx, NUM_SHARES_C); + MSTORE((uint32_t*)m, s->x[0], NUM_SHARES_M); + s->x[0] = cx; + printstate("insert ciphertext", s, NUM_SHARES_M); + P(s, nr, NUM_SHARES_M); + clen -= ASCON_AEAD_RATE; + c += 2; + m += 2; + } + /* final ciphertext block */ + s->x[0].s[0].w[1] ^= 0x80000000 >> (clen * 4); + if (clen) { + word_t cx = MLOAD((uint32_t*)c, NUM_SHARES_C); + s->x[0] = MXOR(s->x[0], cx, NUM_SHARES_C); + MSTORE((uint32_t*)m, s->x[0], NUM_SHARES_M); + word_t mask = MMASK(clen, NUM_SHARES_C); + s->x[0] = MXORAND(cx, s->x[0], mask, NUM_SHARES_C); + } + printstate("pad ciphertext", s, NUM_SHARES_M); +} + +void ascon_final(state_t* s, const mask_key_uint32_t* k) { + word_t K1, K2; + K1 = MLOAD((uint32_t*)k, NUM_SHARES_KEY); + K2 = MLOAD((uint32_t*)(k + 2), NUM_SHARES_KEY); + /* first key xor (first 64-bit word) */ + s->x[1] = MXOR(s->x[1], K1, NUM_SHARES_KEY); + /* first key xor (second 64-bit word) */ + s->x[2] = MXOR(s->x[2], K2, NUM_SHARES_KEY); + printstate("final 1st key xor", s, NUM_SHARES_KEY); + /* compute the permutation */ + P(s, ASCON_PA_ROUNDS, NUM_SHARES_KEY); + /* second key xor (first 64-bit word) */ + s->x[3] = MXOR(s->x[3], K1, NUM_SHARES_KEY); + /* second key xor (second 64-bit word) */ + s->x[4] = MXOR(s->x[4], K2, NUM_SHARES_KEY); + printstate("final 2nd key xor", s, NUM_SHARES_KEY); +} + +void ascon_settag(state_t* s, mask_c_uint32_t* t) { + MSTORE((uint32_t*)t, s->x[3], NUM_SHARES_C); + MSTORE((uint32_t*)(t + 2), s->x[4], NUM_SHARES_C); +} + +/* expected value of x3,x4 for P(0) */ +#if ASCON_PB_ROUNDS == 1 +static const uint32_t c[4] = {0x4b000009, 0x1c800003, 0x00000000, 0x00000000}; +#elif ASCON_PB_ROUNDS == 2 +static const uint32_t c[4] = {0x5d2d1034, 0x76fa81d1, 0x0cc1c9ef, 0xdb30a503}; +#elif ASCON_PB_ROUNDS == 3 +static const uint32_t c[4] = {0xbcaa1d46, 0xf1d0bde9, 0x32c4e651, 0x7b797cd9}; +#elif ASCON_PB_ROUNDS == 4 +static const uint32_t c[4] = {0xf7820616, 0xeffead2d, 0x94846901, 0xd4895cf5}; +#elif ASCON_PB_ROUNDS == 5 +static const uint32_t c[4] = {0x9e5ce5e3, 0xd40e9b87, 0x0bfc74af, 0xf8e408a9}; +#else /* ASCON_PB_ROUNDS == 6 */ +static const uint32_t c[4] = {0x11874f08, 0x7520afef, 0xa4dd41b4, 0x4bd6f9a4}; +#endif + +void ascon_xortag(state_t* s, const mask_c_uint32_t* t) { + /* set x0, x1, x2 to zero */ + s->x[0] = MREUSE(s->x[0], 0, NUM_SHARES_KEY); + s->x[1] = MREUSE(s->x[1], 0, NUM_SHARES_KEY); + s->x[2] = MREUSE(s->x[2], 0, NUM_SHARES_KEY); + /* xor tag to x3, x4 */ + word_t t0 = MLOAD((uint32_t*)t, NUM_SHARES_C); + s->x[3] = MXOR(s->x[3], t0, NUM_SHARES_C); + word_t t1 = MLOAD((uint32_t*)(t + 2), NUM_SHARES_C); + s->x[4] = MXOR(s->x[4], t1, NUM_SHARES_C); + /* compute P(0) if tags are equal */ + P(s, ASCON_PB_ROUNDS, NUM_SHARES_KEY); + /* xor expected result to x3, x4 */ + s->x[3].s[0].w[0] ^= c[0]; + s->x[3].s[0].w[1] ^= c[1]; + s->x[4].s[0].w[0] ^= c[2]; + s->x[4].s[0].w[1] ^= c[3]; +} + +int ascon_iszero(state_t* s) { +#if NUM_SHARES_KEY >= 2 + s->x[3].s[0].w[0] ^= ROR32(s->x[3].s[1].w[0], ROT(1)); + s->x[3].s[0].w[1] ^= ROR32(s->x[3].s[1].w[1], ROT(1)); + s->x[4].s[0].w[0] ^= ROR32(s->x[4].s[1].w[0], ROT(1)); + s->x[4].s[0].w[1] ^= ROR32(s->x[4].s[1].w[1], ROT(1)); +#endif +#if NUM_SHARES_KEY >= 3 + s->x[3].s[0].w[0] ^= ROR32(s->x[3].s[2].w[0], ROT(2)); + s->x[3].s[0].w[1] ^= ROR32(s->x[3].s[2].w[1], ROT(2)); + s->x[4].s[0].w[0] ^= ROR32(s->x[4].s[2].w[0], ROT(2)); + s->x[4].s[0].w[1] ^= ROR32(s->x[4].s[2].w[1], ROT(2)); +#endif +#if NUM_SHARES_KEY >= 4 + s->x[3].s[0].w[0] ^= ROR32(s->x[3].s[3].w[0], ROT(3)); + s->x[3].s[0].w[1] ^= ROR32(s->x[3].s[3].w[1], ROT(3)); + s->x[4].s[0].w[0] ^= ROR32(s->x[4].s[3].w[0], ROT(3)); + s->x[4].s[0].w[1] ^= ROR32(s->x[4].s[3].w[1], ROT(3)); +#endif + uint32_t result; + result = s->x[3].s[0].w[0] ^ s->x[3].s[0].w[1]; + result ^= s->x[4].s[0].w[0] ^ s->x[4].s[0].w[1]; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +int ascon_verify(state_t* s, const mask_c_uint32_t* t) { + ascon_xortag(s, t); + return ascon_iszero(s); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_emsca b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_emsca new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_emsca diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_1st b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_1st new file mode 100644 index 0000000..228078a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_1st @@ -0,0 +1,2 @@ +using 3 rotated shares +using 2 rotated shares (on certain devices) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_2nd b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_2nd new file mode 100644 index 0000000..c0abbba --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/goal_powersca_2nd @@ -0,0 +1 @@ +using 3 rotated shares (on certain devices) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/implementors b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.c new file mode 100644 index 0000000..a7059e6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.c @@ -0,0 +1,6 @@ +#include "interleave.h" + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } +uint64_t FROMBI(uint64_t in) { return interleave32(in); } diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.h new file mode 100644 index 0000000..e3f2d6d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/interleave.h @@ -0,0 +1,70 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "forceinline.h" + +#define BD(e, o, lo, hi) \ + do { \ + uint64_t tmp = TOBI((uint64_t)(hi) << 32 | (lo)); \ + e = (uint32_t)tmp; \ + o = tmp >> 32; \ + } while (0) + +#define BI(lo, hi, e, o) \ + do { \ + uint64_t tmp = FROMBI((uint64_t)(o) << 32 | (e)); \ + lo = (uint32_t)tmp; \ + hi = tmp >> 32; \ + } while (0) + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return (uint64_t)hi << 32 | lo; +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.c new file mode 100644 index 0000000..f72a1f1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.c @@ -0,0 +1,20 @@ +#include "permutations.h" + +#include "api.h" +#include "round.h" + +#if NUM_SHARES_KEY == 1 || NUM_SHARES_AD == 1 || NUM_SHARES_M == 1 +void P1(state_t* s, int nr) { PROUNDS(s, nr, 1); } +#endif + +#if NUM_SHARES_KEY == 2 || NUM_SHARES_AD == 2 || NUM_SHARES_M == 2 +void P2(state_t* s, int nr) { PROUNDS(s, nr, 2); } +#endif + +#if NUM_SHARES_KEY == 3 || NUM_SHARES_AD == 3 || NUM_SHARES_M == 3 +void P3(state_t* s, int nr) { PROUNDS(s, nr, 3); } +#endif + +#if NUM_SHARES_KEY == 4 || NUM_SHARES_AD == 4 || NUM_SHARES_M == 4 +void P4(state_t* s, int nr) { PROUNDS(s, nr, 4); } +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.h new file mode 100644 index 0000000..ad11003 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/permutations.h @@ -0,0 +1,18 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include "ascon.h" + +void P1(state_t* s, int nr); +void P2(state_t* s, int nr); +void P3(state_t* s, int nr); +void P4(state_t* s, int nr); + +forceinline void P(state_t* s, int nr, int ns) { + if (ns == 1) P1(s, nr); + if (ns == 2) P2(s, nr); + if (ns == 3) P3(s, nr); + if (ns == 4) P4(s, nr); +} + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.c new file mode 100644 index 0000000..9bc0f3a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.c @@ -0,0 +1,45 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +#include "ascon.h" +#include "shares.h" +#include "word.h" + +void printword(const char* text, const word_t x, int ns) { + uint32_t lo, hi, e = 0, o = 0; + for (int d = 0; d < ns; ++d) { + e ^= ROR32(x.s[d].w[0], ROT(d)); + o ^= ROR32(x.s[d].w[1], ROT(d)); + } + BI(lo, hi, e, o); + printf("%s=%016" PRIx64, text, (uint64_t)hi << 32 | lo); +#ifdef ASCON_PRINTBI32 + printf(" (%08x_%08x)", o, e); +#endif +} + +void printstate(const char* text, const state_t* s, int ns) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0], ns); + printword(" x1", s->x[1], ns); + printword(" x2", s->x[2], ns); + printword(" x3", s->x[3], ns); + printword(" x4", s->x[4], ns); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.h new file mode 100644 index 0000000..a68f067 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const word_t x, int ns); +void printstate(const char* text, const state_t* si, int ns); + +#else + +#define printword(text, w, ns) \ + do { \ + } while (0) + +#define printstate(text, s, ns) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/round.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/round.h new file mode 100644 index 0000000..ee37ab1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/round.h @@ -0,0 +1,99 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "constants.h" +#include "printstate.h" + +forceinline state_t AFFINE1(state_t s, int i, int d) { + s.x[2].s[d].w[i] ^= s.x[1].s[d].w[i]; + s.x[0].s[d].w[i] ^= s.x[4].s[d].w[i]; + s.x[4].s[d].w[i] ^= s.x[3].s[d].w[i]; + return s; +} + +forceinline state_t AFFINE2(state_t s, int i, int d) { + s.x[2].s[d].w[i] ^= s.x[5].s[d].w[i]; + s.x[1].s[d].w[i] ^= s.x[0].s[d].w[i]; + s.x[0].s[d].w[i] ^= s.x[4].s[d].w[i]; + s.x[3].s[d].w[i] ^= s.x[2].s[d].w[i]; + return s; +} + +forceinline state_t SBOX(state_t s, int i, int ns) { + /* affine layer 1 */ + if (ns >= 1) s = AFFINE1(s, i, 0); + if (ns >= 2) s = AFFINE1(s, i, 1); + if (ns >= 3) s = AFFINE1(s, i, 2); + if (ns >= 4) s = AFFINE1(s, i, 3); + /* Toffoli gates */ + s.x[5] = MXORBIC(s.x[5], s.x[4], s.x[3], i, ns); + s.x[4] = MXORBIC(s.x[4], s.x[1], s.x[0], i, ns); + s.x[1] = MXORBIC(s.x[1], s.x[3], s.x[2], i, ns); + s.x[3] = MXORBIC(s.x[3], s.x[0], s.x[4], i, ns); + s.x[0] = MXORBIC(s.x[0], s.x[2], s.x[1], i, ns); + /* affine layer 2 */ + if (ns >= 1) s = AFFINE2(s, i, 0); + s.x[2].s[0].w[i] = ~s.x[2].s[0].w[i]; + if (ns >= 2) s = AFFINE2(s, i, 1); + if (ns >= 3) s = AFFINE2(s, i, 2); + if (ns >= 4) s = AFFINE2(s, i, 3); + return s; +} + +forceinline state_t LINEAR(state_t s, int d) { + state_t t; + t.x[0].s[d].w[0] = s.x[0].s[d].w[0] ^ ROR32(s.x[0].s[d].w[1], 4); + t.x[0].s[d].w[1] = s.x[0].s[d].w[1] ^ ROR32(s.x[0].s[d].w[0], 5); + t.x[1].s[d].w[0] = s.x[1].s[d].w[0] ^ ROR32(s.x[1].s[d].w[0], 11); + t.x[1].s[d].w[1] = s.x[1].s[d].w[1] ^ ROR32(s.x[1].s[d].w[1], 11); + t.x[2].s[d].w[0] = s.x[2].s[d].w[0] ^ ROR32(s.x[2].s[d].w[1], 2); + t.x[2].s[d].w[1] = s.x[2].s[d].w[1] ^ ROR32(s.x[2].s[d].w[0], 3); + t.x[3].s[d].w[0] = s.x[3].s[d].w[0] ^ ROR32(s.x[3].s[d].w[1], 3); + t.x[3].s[d].w[1] = s.x[3].s[d].w[1] ^ ROR32(s.x[3].s[d].w[0], 4); + t.x[4].s[d].w[0] = s.x[4].s[d].w[0] ^ ROR32(s.x[4].s[d].w[0], 17); + t.x[4].s[d].w[1] = s.x[4].s[d].w[1] ^ ROR32(s.x[4].s[d].w[1], 17); + s.x[0].s[d].w[0] ^= ROR32(t.x[0].s[d].w[1], 9); + s.x[0].s[d].w[1] ^= ROR32(t.x[0].s[d].w[0], 10); + s.x[1].s[d].w[0] ^= ROR32(t.x[1].s[d].w[1], 19); + s.x[1].s[d].w[1] ^= ROR32(t.x[1].s[d].w[0], 20); + s.x[2].s[d].w[0] ^= ROR32(t.x[2].s[d].w[1], 0); + s.x[2].s[d].w[1] ^= ROR32(t.x[2].s[d].w[0], 1); + s.x[3].s[d].w[0] ^= ROR32(t.x[3].s[d].w[0], 5); + s.x[3].s[d].w[1] ^= ROR32(t.x[3].s[d].w[1], 5); + s.x[4].s[d].w[0] ^= ROR32(t.x[4].s[d].w[1], 3); + s.x[4].s[d].w[1] ^= ROR32(t.x[4].s[d].w[0], 4); + return s; +} + +forceinline void ROUND_(state_t* p, uint8_t C_o, uint8_t C_e, int ns) { + state_t s = *p; + /* constant and sbox layer*/ + s.x[2].s[0].w[0] ^= C_e; + s = SBOX(s, 0, ns); + s.x[2].s[0].w[1] ^= C_o; + s = SBOX(s, 1, ns); + /* reuse rotated randomness */ + s.x[5] = MREUSE(s.x[5], 0, ns); + /* linear layer*/ + if (ns >= 4) s = LINEAR(s, 3); + if (ns >= 3) s = LINEAR(s, 2); + if (ns >= 2) s = LINEAR(s, 1); + if (ns >= 1) s = LINEAR(s, 0); + *p = s; + printstate(" round output", &s, ns); +} + +forceinline void ROUND(state_t* p, uint64_t C, int ns) { + ROUND_(p, C >> 32, C, ns); +} + +forceinline void PROUNDS(state_t* s, int nr, int ns) { + int i = START(nr); + do { + ROUND_(s, RC(i), ns); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.c new file mode 100644 index 0000000..ae090bb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.c @@ -0,0 +1,160 @@ + +#include "shares.h" + +#include +#include + +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR64(uint64_t x, int n) { + return x >> n | x << (-n & 63); +} + +void generate_shares(uint32_t* s, int num_shares, const uint8_t* data, + uint64_t len); + +void combine_shares(uint8_t* data, uint64_t len, const uint32_t* s, + int num_shares); + +void generate_shares_encrypt(const unsigned char* m, mask_m_uint32_t* ms, + const unsigned long long mlen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks) { + generate_shares((uint32_t*)ks, NUM_SHARES_KEY, k, CRYPTO_KEYBYTES); + generate_shares((uint32_t*)npubs, NUM_SHARES_NPUB, npub, CRYPTO_NPUBBYTES); + generate_shares((uint32_t*)ads, NUM_SHARES_AD, ad, adlen); + generate_shares((uint32_t*)ms, NUM_SHARES_M, m, mlen); +} + +void generate_shares_decrypt(const unsigned char* c, mask_c_uint32_t* cs, + const unsigned long long clen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks) { + unsigned long long mlen = clen - CRYPTO_ABYTES; + mask_c_uint32_t* ts = cs + NUM_WORDS(mlen); + generate_shares((uint32_t*)ks, NUM_SHARES_KEY, k, CRYPTO_KEYBYTES); + generate_shares((uint32_t*)npubs, NUM_SHARES_NPUB, npub, CRYPTO_NPUBBYTES); + generate_shares((uint32_t*)ads, NUM_SHARES_AD, ad, adlen); + generate_shares((uint32_t*)cs, NUM_SHARES_C, c, mlen); + generate_shares((uint32_t*)ts, NUM_SHARES_C, c + mlen, CRYPTO_ABYTES); +} + +void combine_shares_encrypt(const mask_c_uint32_t* cs, unsigned char* c, + unsigned long long clen) { + unsigned long long mlen = clen - CRYPTO_ABYTES; + const mask_c_uint32_t* ts = cs + NUM_WORDS(mlen); + combine_shares(c, mlen, (uint32_t*)cs, NUM_SHARES_C); + combine_shares(c + mlen, CRYPTO_ABYTES, (uint32_t*)ts, NUM_SHARES_C); +} + +void combine_shares_decrypt(const mask_m_uint32_t* ms, unsigned char* m, + unsigned long long mlen) { + combine_shares(m, mlen, (uint32_t*)ms, NUM_SHARES_M); +} + +void generate_shares(uint32_t* s, int num_shares, const uint8_t* data, + uint64_t len) { + uint32_t rnd0, rnd1; + uint64_t rnd, i; + /* generate random shares */ + for (i = 0; i < NUM_WORDS(len); i += 2) { + s[(i + 0) * num_shares + 0] = 0; + s[(i + 1) * num_shares + 0] = 0; + for (int d = 1; d < num_shares; ++d) { + RND(rnd0); + RND(rnd1); + s[(i + 0) * num_shares + d] = rnd0; + s[(i + 1) * num_shares + d] = rnd1; +#if ASCON_EXTERN_BI + s[(i + 0) * num_shares + 0] ^= ROR32(rnd0, ROT(d)); + s[(i + 1) * num_shares + 0] ^= ROR32(rnd1, ROT(d)); +#else + rnd = ROR64((uint64_t)rnd1 << 32 | rnd0, ROT(2 * d)); + s[(i + 0) * num_shares + 0] ^= (uint32_t)rnd; + s[(i + 1) * num_shares + 0] ^= (uint32_t)(rnd >> 32); +#endif + } + } + /* mask complete words */ + for (i = 0; i < len / 8; ++i) { + uint64_t x; + memcpy(&x, data + i * 8, 8); + x = U64BIG(x); +#if ASCON_EXTERN_BI + x = TOBI(x); +#endif + s[(2 * i + 0) * num_shares + 0] ^= (uint32_t)x; + s[(2 * i + 1) * num_shares + 0] ^= (uint32_t)(x >> 32); + } + /* mask remaining bytes */ + if ((len / 8 * 8) != len) { + uint64_t x = 0; + for (i = (len / 8) * 8; i < len; ++i) { + x ^= (uint64_t)data[i] << ((i % 8) * 8); + } + x = U64BIG(x); +#if ASCON_EXTERN_BI + x = TOBI(x); +#endif + s[(2 * (len / 8) + 0) * num_shares + 0] ^= (uint32_t)x; + s[(2 * (len / 8) + 1) * num_shares + 0] ^= (uint32_t)(x >> 32); + } +} + +void combine_shares(uint8_t* data, uint64_t len, const uint32_t* s, + int num_shares) { + uint32_t rnd0, rnd1; + uint64_t i; + /* unmask complete words */ + for (i = 0; i < len / 8; ++i) { + uint64_t x = 0; + for (int d = 0; d < num_shares; ++d) { + rnd0 = s[(2 * i + 0) * num_shares + d]; + rnd1 = s[(2 * i + 1) * num_shares + d]; +#if ASCON_EXTERN_BI + x ^= (uint64_t)ROR32(rnd0, ROT(d)); + x ^= (uint64_t)ROR32(rnd1, ROT(d)) << 32; +#else + x ^= ROR64((uint64_t)rnd1 << 32 | rnd0, ROT(2 * d)); +#endif + } +#if ASCON_EXTERN_BI + x = FROMBI(x); +#endif + x = U64BIG(x); + memcpy(data + i * 8, &x, 8); + } + /* unmask remaining bytes */ + if ((len / 8 * 8) != len) { + uint64_t x = 0; + for (int d = 0; d < num_shares; ++d) { + rnd0 = s[(2 * (len / 8) + 0) * num_shares + d]; + rnd1 = s[(2 * (len / 8) + 1) * num_shares + d]; +#if ASCON_EXTERN_BI + x ^= (uint64_t)ROR32(rnd0, ROT(d)); + x ^= (uint64_t)ROR32(rnd1, ROT(d)) << 32; +#else + x ^= ROR64((uint64_t)rnd1 << 32 | rnd0, ROT(2 * d)); +#endif + } +#if ASCON_EXTERN_BI + x = FROMBI(x); +#endif + x = U64BIG(x); + for (i = (len / 8) * 8; i < len; ++i) { + data[i] = x >> ((i % 8) * 8); + } + } +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.h new file mode 100644 index 0000000..af21b0b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/shares.h @@ -0,0 +1,56 @@ +#ifndef SHARES_H_ +#define SHARES_H_ + +#include + +#include "api.h" +#include "config.h" +#include "randombytes.h" + +#define NUM_WORDS(len) ((((len) + 7) / 8) * 2) +#define ROT(i) (((i) * (ASCON_ROR_SHARES)) & 31) +#define RND(rnd) randombytes((unsigned char*)&rnd, 4) + +typedef struct { + uint32_t shares[NUM_SHARES_M]; +} mask_m_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_C]; +} mask_c_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_AD]; +} mask_ad_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_NPUB]; +} mask_npub_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_KEY]; +} mask_key_uint32_t; + +void generate_shares_encrypt(const unsigned char* m, mask_m_uint32_t* ms, + const unsigned long long mlen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks); + +void generate_shares_decrypt(const unsigned char* c, mask_c_uint32_t* cs, + const unsigned long long clen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks); + +void combine_shares_encrypt(const mask_c_uint32_t* cs, unsigned char* c, + unsigned long long clen); + +void combine_shares_decrypt(const mask_m_uint32_t* ms, unsigned char* m, + unsigned long long mlen); + +#endif /* SHARES_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/word.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/word.h new file mode 100644 index 0000000..d145d8f --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6/word.h @@ -0,0 +1,270 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "asm.h" +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" +#include "shares.h" + +typedef struct { + uint32_t w[2]; +} share_t; + +typedef struct { + share_t s[NUM_SHARES_KEY]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR32x2(uint64_t x, int n) { + uint32_t lo = x; + uint32_t hi = x >> 32; + lo = ROR32(lo, n); + hi = ROR32(hi, n); + return (uint64_t)hi << 32 | lo; +} + +forceinline uint64_t ROR64(uint64_t x, int n) { + return x >> n | x << (-n & 63); +} + +forceinline word_t MXOR(word_t a, word_t b, int ns) { + if (ns >= 1) a.s[0].w[0] ^= b.s[0].w[0]; + if (ns >= 1) a.s[0].w[1] ^= b.s[0].w[1]; + if (ns >= 2) a.s[1].w[0] ^= b.s[1].w[0]; + if (ns >= 2) a.s[1].w[1] ^= b.s[1].w[1]; + if (ns >= 3) a.s[2].w[0] ^= b.s[2].w[0]; + if (ns >= 3) a.s[2].w[1] ^= b.s[2].w[1]; + if (ns >= 4) a.s[3].w[0] ^= b.s[3].w[0]; + if (ns >= 4) a.s[3].w[1] ^= b.s[3].w[1]; + return a; +} + +forceinline word_t MXORBIC(word_t c, word_t a, word_t b, int i, int ns) { + uint32_t tmp; + if (ns == 1) { + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + } + if (ns == 2) { + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + EOR_BIC_ROR(c.s[1].w[i], a.s[1].w[i], b.s[0].w[i], 0 - 1, tmp); + CLEAR(); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[1].w[i], 0, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[1].w[i], 1 - 0, tmp); + CLEAR(); + } + if (ns == 3) { + EOR_AND_ROR(c.s[0].w[i], b.s[0].w[i], a.s[1].w[i], 1 - 0, tmp); + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + EOR_AND_ROR(c.s[0].w[i], b.s[0].w[i], a.s[2].w[i], 2 - 0, tmp); + EOR_AND_ROR(c.s[1].w[i], b.s[1].w[i], a.s[2].w[i], 2 - 1, tmp); + EOR_BIC_ROR(c.s[1].w[i], a.s[1].w[i], b.s[1].w[i], 0, tmp); + EOR_AND_ROR(c.s[1].w[i], b.s[1].w[i], a.s[0].w[i], 0 - 1, tmp); + EOR_BIC_ROR(c.s[2].w[i], b.s[2].w[i], a.s[0].w[i], 0 - 2, tmp); + EOR_ORR_ROR(c.s[2].w[i], a.s[2].w[i], b.s[2].w[i], 0, tmp); + EOR_AND_ROR(c.s[2].w[i], b.s[2].w[i], a.s[1].w[i], 1 - 2, tmp); + } + if (ns == 4) { + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + EOR_BIC_ROR(c.s[1].w[i], a.s[1].w[i], b.s[0].w[i], 0 - 1, tmp); + EOR_BIC_ROR(c.s[2].w[i], a.s[2].w[i], b.s[0].w[i], 0 - 2, tmp); + EOR_BIC_ROR(c.s[3].w[i], a.s[3].w[i], b.s[0].w[i], 0 - 3, tmp); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[1].w[i], 0, tmp); + EOR_AND_ROR(c.s[2].w[i], a.s[2].w[i], b.s[1].w[i], 1 - 2, tmp); + EOR_AND_ROR(c.s[3].w[i], a.s[3].w[i], b.s[1].w[i], 1 - 3, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[1].w[i], 1 - 0, tmp); + EOR_AND_ROR(c.s[2].w[i], a.s[2].w[i], b.s[2].w[i], 0, tmp); + EOR_AND_ROR(c.s[3].w[i], a.s[3].w[i], b.s[2].w[i], 2 - 3, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[2].w[i], 2 - 0, tmp); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[2].w[i], 2 - 1, tmp); + EOR_AND_ROR(c.s[3].w[i], a.s[3].w[i], b.s[3].w[i], 0, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[3].w[i], 3 - 0, tmp); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[3].w[i], 3 - 1, tmp); + EOR_AND_ROR(c.s[2].w[i], a.s[2].w[i], b.s[3].w[i], 3 - 2, tmp); + } + return c; +} + +forceinline word_t MXORAND(word_t c, word_t a, word_t b, int ns) { + b.s[0].w[0] = ~b.s[0].w[0]; + b.s[0].w[1] = ~b.s[0].w[1]; + c = MXORBIC(c, a, b, 0, ns); + c = MXORBIC(c, a, b, 1, ns); + return c; +} + +forceinline word_t MRND(int ns) { + word_t w; + if (ns >= 2) RND(w.s[1].w[0]); + if (ns >= 2) RND(w.s[1].w[1]); + if (ns >= 3) RND(w.s[2].w[0]); + if (ns >= 3) RND(w.s[2].w[1]); + if (ns >= 4) RND(w.s[3].w[0]); + if (ns >= 4) RND(w.s[3].w[1]); + return w; +} + +forceinline word_t MMIX(word_t w, int ns) { + if (ns >= 2) w.s[1].w[0] = ROR32(w.s[1].w[0], 7); + if (ns >= 2) w.s[1].w[1] = ROR32(w.s[1].w[1], 7); + if (ns >= 3) w.s[2].w[0] = ROR32(w.s[2].w[0], 13); + if (ns >= 3) w.s[2].w[1] = ROR32(w.s[2].w[1], 13); + if (ns >= 4) w.s[3].w[0] = ROR32(w.s[3].w[0], 29); + if (ns >= 4) w.s[3].w[1] = ROR32(w.s[3].w[1], 29); + return w; +} + +forceinline word_t MREDUCE(word_t w, int nsi, int nso) { + if (nsi >= 2 && nso < 2) w.s[0].w[0] ^= ROR32(w.s[1].w[0], ROT(1)); + if (nsi >= 2 && nso < 2) w.s[0].w[1] ^= ROR32(w.s[1].w[1], ROT(1)); + if (nsi >= 3 && nso < 3) w.s[0].w[0] ^= ROR32(w.s[2].w[0], ROT(2)); + if (nsi >= 3 && nso < 3) w.s[0].w[1] ^= ROR32(w.s[2].w[1], ROT(2)); + if (nsi >= 4 && nso < 4) w.s[0].w[0] ^= ROR32(w.s[3].w[0], ROT(3)); + if (nsi >= 4 && nso < 4) w.s[0].w[1] ^= ROR32(w.s[3].w[1], ROT(3)); + return w; +} + +forceinline word_t MEXPAND(word_t w, int nsi, int nso) { + return MREDUCE(w, nso, nsi); +} + +forceinline word_t MREUSE(word_t w, uint64_t val, int ns) { + w.s[0].w[0] = (uint32_t)val; + w.s[0].w[1] = val >> 32; + w = MMIX(w, ns); + w = MEXPAND(w, 1, ns); + return w; +} + +forceinline word_t MZERO(int ns) { + word_t w; + if (ns == 1) { + MOVI(w.s[0].w[0], 0); + MOVI(w.s[0].w[1], 0); + } + if (ns >= 2) { + RND(w.s[1].w[0]); + RND(w.s[1].w[1]); + RORI(w.s[1].w[0], w.s[1].w[0], 7); + RORI(w.s[1].w[1], w.s[1].w[1], 7); + RORI(w.s[0].w[0], w.s[1].w[0], ROT(1)); + RORI(w.s[0].w[1], w.s[1].w[1], ROT(1)); + if (ns == 2) CLEAR(); + } + if (ns >= 3) { + RND(w.s[2].w[0]); + RND(w.s[2].w[1]); + RORI(w.s[2].w[0], w.s[2].w[0], 13); + RORI(w.s[2].w[1], w.s[2].w[1], 13); + EOR_ROR(w.s[0].w[0], w.s[0].w[0], w.s[2].w[0], ROT(2)); + EOR_ROR(w.s[0].w[1], w.s[0].w[1], w.s[2].w[1], ROT(2)); + } + if (ns >= 4) { + RND(w.s[3].w[0]); + RND(w.s[3].w[1]); + RORI(w.s[3].w[0], w.s[3].w[0], 29); + RORI(w.s[3].w[1], w.s[3].w[1], 29); + EOR_ROR(w.s[0].w[0], w.s[0].w[0], w.s[3].w[0], ROT(3)); + EOR_ROR(w.s[0].w[1], w.s[0].w[1], w.s[3].w[1], ROT(3)); + } + return w; +} + +forceinline word_t MMASK(int n, int ns) { + uint32_t mask = 0xffffffff >> (n * 4); + word_t m = MZERO(ns); + m.s[0].w[0] ^= mask; + m.s[0].w[1] ^= mask; + return m; +} + +forceinline word_t MREFRESH(word_t w, int ns) { + word_t r = MZERO(ns); + return MXOR(w, r, ns); +} + +forceinline int MNOTZERO(word_t a, word_t b, int ns) { + word_t c = MZERO(ns); + /* note: OR(a,b) = ~BIC(~a,b) */ + a.s[0].w[0] = ~a.s[0].w[0]; + a.s[0].w[1] = ~a.s[0].w[1]; + /* OR first and second 64-bit word */ + c = MXORBIC(c, a, b, 0, ns); + c = MXORBIC(c, a, b, 1, ns); + /* OR even and odd words */ + if (ns >= 1) b.s[0].w[0] = c.s[0].w[1]; + if (ns >= 2) b.s[1].w[0] = c.s[1].w[1]; + if (ns >= 3) b.s[2].w[0] = c.s[2].w[1]; + if (ns >= 4) b.s[3].w[0] = c.s[3].w[1]; + a = MXORBIC(a, b, c, 0, ns); + /* loop to OR 16/8/4/2/1 bit chunks */ + for (int i = 16; i > 0; i >>= 1) { + if (ns >= 1) b.s[0].w[0] = ROR32(a.s[0].w[0], i); + if (ns >= 2) b.s[1].w[0] = ROR32(a.s[1].w[0], i); + if (ns >= 3) b.s[2].w[0] = ROR32(a.s[2].w[0], i); + if (ns >= 4) b.s[3].w[0] = ROR32(a.s[3].w[0], i); + c = MXORBIC(c, a, b, 0, ns); + if (ns >= 1) a.s[0].w[0] = c.s[0].w[0]; + if (ns >= 2) a.s[1].w[0] = c.s[1].w[0]; + if (ns >= 3) a.s[2].w[0] = c.s[2].w[0]; + if (ns >= 4) a.s[3].w[0] = c.s[3].w[0]; + } + /* unmask result */ + if (ns >= 2) a.s[0].w[0] ^= ROR32(a.s[1].w[0], ROT(1)); + if (ns >= 3) a.s[0].w[0] ^= ROR32(a.s[2].w[0], ROT(2)); + if (ns >= 4) a.s[0].w[0] ^= ROR32(a.s[3].w[0], ROT(3)); + return ~a.s[0].w[0]; +} + +forceinline share_t LOADSHARE(uint32_t* data, int ns) { + share_t s; + uint32_t lo, hi; + LDR(lo, data, 0); + LDR(hi, data, 4 * ns); +#if !ASCON_EXTERN_BI + BD(s.w[0], s.w[1], lo, hi); + if (ns == 2) CLEAR(); +#else + s.w[0] = lo; + s.w[1] = hi; +#endif + return s; +} + +forceinline void STORESHARE(uint32_t* data, share_t s, int ns) { + uint32_t lo, hi; +#if !ASCON_EXTERN_BI + BI(lo, hi, s.w[0], s.w[1]); + if (ns == 2) CLEAR(); +#else + lo = s.w[0]; + hi = s.w[1]; +#endif + STR(lo, data, 0); + STR(hi, data, 4 * ns); +} + +forceinline word_t MLOAD(uint32_t* data, int ns) { + word_t w = {0}; + if (ns >= 1) w.s[0] = LOADSHARE(&(data[0]), ns); + if (ns >= 2) w.s[1] = LOADSHARE(&(data[1]), ns); + if (ns >= 3) w.s[2] = LOADSHARE(&(data[2]), ns); + if (ns >= 4) w.s[3] = LOADSHARE(&(data[3]), ns); + return w; +} + +forceinline void MSTORE(uint32_t* data, word_t w, int ns) { + if (ns >= 1) STORESHARE(&(data[0]), w.s[0], ns); + if (ns >= 2) STORESHARE(&(data[1]), w.s[1], ns); + if (ns >= 3) STORESHARE(&(data[2]), w.s[2], ns); + if (ns >= 4) STORESHARE(&(data[3]), w.s[3], ns); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/api.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/api.h new file mode 100644 index 0000000..e171aa4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/api.h @@ -0,0 +1,31 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 + +#ifndef ASCON_ROR_SHARES +#define ASCON_ROR_SHARES 5 +#endif + +#ifndef NUM_SHARES_M +#define NUM_SHARES_M 1 +#endif + +#ifndef NUM_SHARES_C +#define NUM_SHARES_C 1 +#endif + +#ifndef NUM_SHARES_AD +#define NUM_SHARES_AD 1 +#endif + +#ifndef NUM_SHARES_NPUB +#define NUM_SHARES_NPUB 1 +#endif + +#ifndef NUM_SHARES_KEY +#define NUM_SHARES_KEY 2 +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/architectures b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/ascon.h new file mode 100644 index 0000000..8578c49 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/ascon.h @@ -0,0 +1,29 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "shares.h" +#include "word.h" + +typedef struct { + word_t x[6]; +} state_t; + +void ascon_initaead(state_t* s, const mask_npub_uint32_t* n, + const mask_key_uint32_t* k); +void ascon_adata(state_t* s, const mask_ad_uint32_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, mask_c_uint32_t* c, const mask_m_uint32_t* m, + uint64_t mlen); +void ascon_decrypt(state_t* s, mask_m_uint32_t* m, const mask_c_uint32_t* c, + uint64_t clen); +void ascon_final(state_t* s, const mask_key_uint32_t* k); +void ascon_settag(state_t* s, mask_c_uint32_t* t); +void ascon_xortag(state_t* s, const mask_c_uint32_t* t); +int ascon_iszero(state_t* s); + +void ascon_level_adata(state_t* s); +void ascon_level_encdec(state_t* s); +void ascon_level_final(state_t* s); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/asm.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/asm.h new file mode 100644 index 0000000..805d453 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/asm.h @@ -0,0 +1,38 @@ +#ifndef ASM_H_ +#define ASM_H_ + +#ifndef __GNUC__ +#define __asm__ asm +#endif + +#define CLEAR() \ + do { \ + uint32_t r, v = 0; \ + __asm__ volatile("mov %0, %1\n\t" : "=r"(r) : "i"(v)); \ + } while (0) + +#define EOR_AND_ROR(ce, ae, be, imm, tmp) \ + __asm__ volatile( \ + "and %[tmp_], %[ae_], %[be_], ror %[i1_]\n\t" \ + "eor %[ce_], %[tmp_], %[ce_]\n\t" \ + : [ ce_ ] "+r"(ce), [ tmp_ ] "=r"(tmp) \ + : [ ae_ ] "r"(ae), [ be_ ] "r"(be), [ i1_ ] "i"(ROT(imm)) \ + :) + +#define EOR_BIC_ROR(ce, ae, be, imm, tmp) \ + __asm__ volatile( \ + "bic %[tmp_], %[ae_], %[be_], ror %[i1_]\n\t" \ + "eor %[ce_], %[tmp_], %[ce_]\n\t" \ + : [ ce_ ] "+r"(ce), [ tmp_ ] "=r"(tmp) \ + : [ ae_ ] "r"(ae), [ be_ ] "r"(be), [ i1_ ] "i"(ROT(imm)) \ + :) + +#define EOR_ORR_ROR(ce, ae, be, imm, tmp) \ + __asm__ volatile( \ + "orr %[tmp_], %[ae_], %[be_], ror %[i1_]\n\t" \ + "eor %[ce_], %[tmp_], %[ce_]\n\t" \ + : [ ce_ ] "+r"(ce), [ tmp_ ] "=r"(tmp) \ + : [ ae_ ] "r"(ae), [ be_ ] "r"(be), [ i1_ ] "i"(ROT(imm)) \ + :) + +#endif // ASM_H_ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/config.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/config.h new file mode 100644 index 0000000..e28b2ec --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/config.h @@ -0,0 +1,21 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +#include "api.h" + +/* extern bit interleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +/* number of PA rounds */ +#ifndef ASCON_PA_ROUNDS +#define ASCON_PA_ROUNDS 12 +#endif + +/* number of PB rounds */ +#ifndef ASCON_PB_ROUNDS +#define ASCON_PB_ROUNDS 6 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.c new file mode 100644 index 0000000..13bb289 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.c @@ -0,0 +1,5 @@ +#include "constants.h" + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.h new file mode 100644 index 0000000..fda3a6c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) constants[2 * i + 1], constants[2 * i + 0] + +#define START(n) (12 - (n)) +#define INC 1 +#define END 12 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead.c new file mode 100644 index 0000000..a6e867f --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead.c @@ -0,0 +1,73 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "crypto_aead_shared.h" + +#ifdef SS_VER +#include "hal.h" +#else +#define trigger_high() +#define trigger_low() +#endif + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* a, unsigned long long alen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + /* dynamic allocation of input/output shares */ + mask_key_uint32_t* ks = malloc(sizeof(*ks) * NUM_WORDS(CRYPTO_KEYBYTES)); + mask_npub_uint32_t* ns = malloc(sizeof(*ns) * NUM_WORDS(CRYPTO_NPUBBYTES)); + mask_ad_uint32_t* as = malloc(sizeof(*as) * NUM_WORDS(alen)); + mask_m_uint32_t* ms = malloc(sizeof(*ms) * NUM_WORDS(mlen)); + mask_c_uint32_t* cs = malloc(sizeof(*cs) * NUM_WORDS(mlen + CRYPTO_ABYTES)); + /* mask plain input data */ + generate_shares_encrypt(m, ms, mlen, a, as, alen, npub, ns, k, ks); + /* call shared interface of ascon encrypt */ + trigger_high(); + crypto_aead_encrypt_shared(cs, clen, ms, mlen, as, alen, ns, ks); + trigger_low(); + /* unmask shared output data */ + combine_shares_encrypt(cs, c, *clen); + /* free shares */ + free(ks); + free(ns); + free(as); + free(ms); + free(cs); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* a, + unsigned long long alen, const unsigned char* npub, + const unsigned char* k) { + int result = 0; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* dynamic allocation of input/output shares */ + mask_key_uint32_t* ks = malloc(sizeof(*ks) * NUM_WORDS(CRYPTO_KEYBYTES)); + mask_npub_uint32_t* ns = malloc(sizeof(*ns) * NUM_WORDS(CRYPTO_NPUBBYTES)); + mask_ad_uint32_t* as = malloc(sizeof(*as) * NUM_WORDS(alen)); + mask_m_uint32_t* ms = malloc(sizeof(*ms) * NUM_WORDS(clen - CRYPTO_ABYTES)); + mask_c_uint32_t* cs = malloc(sizeof(*cs) * NUM_WORDS(clen)); + /* mask plain input data */ + generate_shares_decrypt(c, cs, clen, a, as, alen, npub, ns, k, ks); + /* call shared interface of ascon decrypt */ + trigger_high(); + result = crypto_aead_decrypt_shared(ms, mlen, cs, clen, as, alen, ns, ks); + trigger_low(); + /* unmask shared output data */ + combine_shares_decrypt(ms, m, *mlen); + /* free shares */ + free(ks); + free(ns); + free(as); + free(ms); + free(cs); + return result; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.c new file mode 100644 index 0000000..b21d12a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.c @@ -0,0 +1,47 @@ +#include "crypto_aead_shared.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "shares.h" + +int crypto_aead_encrypt_shared(mask_c_uint32_t* cs, unsigned long long* clen, + const mask_m_uint32_t* ms, + unsigned long long mlen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks) { + state_t s; + *clen = mlen + CRYPTO_ABYTES; + ascon_initaead(&s, npubs, ks); + ascon_level_adata(&s); + ascon_adata(&s, ads, adlen); + ascon_level_encdec(&s); + ascon_encrypt(&s, cs, ms, mlen); + ascon_level_final(&s); + ascon_final(&s, ks); + ascon_settag(&s, cs + NUM_WORDS(mlen)); + return 0; +} + +int crypto_aead_decrypt_shared(mask_m_uint32_t* ms, unsigned long long* mlen, + const mask_c_uint32_t* cs, + unsigned long long clen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks) { + state_t s; + *mlen = clen - CRYPTO_ABYTES; + ascon_initaead(&s, npubs, ks); + ascon_level_adata(&s); + ascon_adata(&s, ads, adlen); + ascon_level_encdec(&s); + ascon_decrypt(&s, ms, cs, *mlen); + ascon_level_final(&s); + ascon_final(&s, ks); + ascon_xortag(&s, cs + NUM_WORDS(*mlen)); + return ascon_iszero(&s); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.h new file mode 100644 index 0000000..c9d7b5c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/crypto_aead_shared.h @@ -0,0 +1,17 @@ +#include "shares.h" + +int crypto_aead_encrypt_shared(mask_c_uint32_t* cs, unsigned long long* clen, + const mask_m_uint32_t* ms, + unsigned long long mlen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks); + +int crypto_aead_decrypt_shared(mask_m_uint32_t* ms, unsigned long long* mlen, + const mask_c_uint32_t* cs, + unsigned long long clen, + const mask_ad_uint32_t* ads, + unsigned long long adlen, + const mask_npub_uint32_t* npubs, + const mask_key_uint32_t* ks); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/encrypt.c new file mode 100644 index 0000000..135e37c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/encrypt.c @@ -0,0 +1,228 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +void ascon_initaead(state_t* s, const mask_npub_uint32_t* n, + const mask_key_uint32_t* k) { + word_t N0, N1; + word_t K1, K2; + /* randomize the initial state */ + s->x[0] = MZERO(NUM_SHARES_KEY); + s->x[5] = MZERO(NUM_SHARES_KEY); + /* set the initial value */ + s->x[0].s[0].w[0] ^= 0x08220000; + s->x[0].s[0].w[1] ^= 0x80210000; + /* set the nonce */ + N0 = MLOAD((uint32_t*)n, NUM_SHARES_NPUB); + N1 = MLOAD((uint32_t*)(n + 2), NUM_SHARES_NPUB); + if (NUM_SHARES_KEY == NUM_SHARES_NPUB) { + s->x[3] = N0; + s->x[4] = N1; + } else { + s->x[3] = MXOR(N0, MZERO(NUM_SHARES_KEY), NUM_SHARES_KEY); + s->x[4] = MXOR(N1, MZERO(NUM_SHARES_KEY), NUM_SHARES_KEY); + } + /* first key xor */ + s->x[1] = K1 = MLOAD((uint32_t*)k, NUM_SHARES_KEY); + s->x[2] = K2 = MLOAD((uint32_t*)(k + 2), NUM_SHARES_KEY); + printstate("init 1st key xor", s, NUM_SHARES_KEY); + /* compute the permutation */ + P(s, ASCON_PA_ROUNDS, NUM_SHARES_KEY); + /* second key xor */ + s->x[3] = MXOR(s->x[3], K1, NUM_SHARES_KEY); + s->x[4] = MXOR(s->x[4], K2, NUM_SHARES_KEY); + printstate("init 2nd key xor", s, NUM_SHARES_KEY); +} + +void ascon_adata(state_t* s, const mask_ad_uint32_t* ad, uint64_t adlen) { + const int nr = ASCON_PB_ROUNDS; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + word_t as = MLOAD((uint32_t*)ad, NUM_SHARES_AD); + s->x[0] = MXOR(s->x[0], as, NUM_SHARES_AD); + printstate("absorb adata", s, NUM_SHARES_AD); + P(s, nr, NUM_SHARES_AD); + adlen -= ASCON_AEAD_RATE; + ad += 2; + } + /* final associated data block */ + s->x[0].s[0].w[1] ^= 0x80000000 >> (adlen * 4); + if (adlen) { + word_t as = MLOAD((uint32_t*)ad, NUM_SHARES_AD); + s->x[0] = MXOR(s->x[0], as, NUM_SHARES_AD); + } + printstate("pad adata", s, NUM_SHARES_AD); + P(s, nr, NUM_SHARES_AD); + } + /* domain separation */ + s->x[4].s[0].w[0] ^= 1; + printstate("domain separation", s, NUM_SHARES_AD); +} + +void ascon_encrypt(state_t* s, mask_c_uint32_t* c, const mask_m_uint32_t* m, + uint64_t mlen) { + const int nr = ASCON_PB_ROUNDS; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + word_t ms = MLOAD((uint32_t*)m, NUM_SHARES_M); + s->x[0] = MXOR(s->x[0], ms, NUM_SHARES_M); + MSTORE((uint32_t*)c, s->x[0], NUM_SHARES_C); + printstate("absorb plaintext", s, NUM_SHARES_M); + P(s, nr, NUM_SHARES_M); + mlen -= ASCON_AEAD_RATE; + m += 2; + c += 2; + } + /* final plaintext block */ + s->x[0].s[0].w[1] ^= 0x80000000 >> (mlen * 4); + if (mlen) { + word_t ms = MLOAD((uint32_t*)m, NUM_SHARES_M); + s->x[0] = MXOR(s->x[0], ms, NUM_SHARES_M); + MSTORE((uint32_t*)c, s->x[0], NUM_SHARES_C); + } + printstate("pad plaintext", s, NUM_SHARES_M); +} + +void ascon_decrypt(state_t* s, mask_m_uint32_t* m, const mask_c_uint32_t* c, + uint64_t clen) { + const int nr = ASCON_PB_ROUNDS; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + word_t cx = MLOAD((uint32_t*)c, NUM_SHARES_C); + s->x[0] = MXOR(s->x[0], cx, NUM_SHARES_C); + MSTORE((uint32_t*)m, s->x[0], NUM_SHARES_M); + s->x[0] = cx; + printstate("insert ciphertext", s, NUM_SHARES_M); + P(s, nr, NUM_SHARES_M); + clen -= ASCON_AEAD_RATE; + c += 2; + m += 2; + } + /* final ciphertext block */ + s->x[0].s[0].w[1] ^= 0x80000000 >> (clen * 4); + if (clen) { + word_t cx = MLOAD((uint32_t*)c, NUM_SHARES_C); + s->x[0] = MXOR(s->x[0], cx, NUM_SHARES_C); + MSTORE((uint32_t*)m, s->x[0], NUM_SHARES_M); + word_t mask = MMASK(s->x[5], clen); + s->x[0] = MXORAND(cx, s->x[0], mask, NUM_SHARES_M); + s->x[5] = MREUSE(s->x[5], 0, NUM_SHARES_M); + } + printstate("pad ciphertext", s, NUM_SHARES_M); +} + +void ascon_final(state_t* s, const mask_key_uint32_t* k) { + word_t K1, K2; + K1 = MLOAD((uint32_t*)k, NUM_SHARES_KEY); + K2 = MLOAD((uint32_t*)(k + 2), NUM_SHARES_KEY); + /* first key xor (first 64-bit word) */ + s->x[1] = MXOR(s->x[1], K1, NUM_SHARES_KEY); + /* first key xor (second 64-bit word) */ + s->x[2] = MXOR(s->x[2], K2, NUM_SHARES_KEY); + printstate("final 1st key xor", s, NUM_SHARES_KEY); + /* compute the permutation */ + P(s, ASCON_PA_ROUNDS, NUM_SHARES_KEY); + /* second key xor (first 64-bit word) */ + s->x[3] = MXOR(s->x[3], K1, NUM_SHARES_KEY); + /* second key xor (second 64-bit word) */ + s->x[4] = MXOR(s->x[4], K2, NUM_SHARES_KEY); + printstate("final 2nd key xor", s, NUM_SHARES_KEY); +} + +void ascon_settag(state_t* s, mask_c_uint32_t* t) { + s->x[3] = MREDUCE(s->x[3], NUM_SHARES_KEY, NUM_SHARES_C); + s->x[4] = MREDUCE(s->x[4], NUM_SHARES_KEY, NUM_SHARES_C); + MSTORE((uint32_t*)t, s->x[3], NUM_SHARES_C); + MSTORE((uint32_t*)(t + 2), s->x[4], NUM_SHARES_C); +} + +#if 0 + +void ascon_xortag(state_t* s, mask_c_uint32_t* t) { + s->x[3] = MXOR(s->x[3], MLOAD((uint32_t*)t, NUM_SHARES_MC), NUM_SHARES_KEY); + s->x[4] = MXOR(s->x[4], MLOAD((uint32_t*)(t + 2), NUM_SHARES_MC), NUM_SHARES_KEY); +} + +int ascon_iszero(state_t* s) { + return MNOTZERO(s->x[3], s->x[4]); +} + +#else + +/* expected value of x3,x4 for P(0) */ +#if ASCON_PB_ROUNDS == 1 +static const uint32_t c[4] = {0x4b000009, 0x1c800003, 0x00000000, 0x00000000}; +#elif ASCON_PB_ROUNDS == 2 +static const uint32_t c[4] = {0x5d2d1034, 0x76fa81d1, 0x0cc1c9ef, 0xdb30a503}; +#elif ASCON_PB_ROUNDS == 3 +static const uint32_t c[4] = {0xbcaa1d46, 0xf1d0bde9, 0x32c4e651, 0x7b797cd9}; +#elif ASCON_PB_ROUNDS == 4 +static const uint32_t c[4] = {0xf7820616, 0xeffead2d, 0x94846901, 0xd4895cf5}; +#elif ASCON_PB_ROUNDS == 5 +static const uint32_t c[4] = {0x9e5ce5e3, 0xd40e9b87, 0x0bfc74af, 0xf8e408a9}; +#else /* ASCON_PB_ROUNDS == 6 */ +static const uint32_t c[4] = {0x11874f08, 0x7520afef, 0xa4dd41b4, 0x4bd6f9a4}; +#endif + +void ascon_xortag(state_t* s, const mask_c_uint32_t* t) { + /* set x0, x1, x2 to zero */ + s->x[0] = MREUSE(s->x[0], 0, NUM_SHARES_KEY); + s->x[1] = MREUSE(s->x[1], 0, NUM_SHARES_KEY); + s->x[2] = MREUSE(s->x[2], 0, NUM_SHARES_KEY); + /* xor tag to x3, x4 */ + word_t t0 = MLOAD((uint32_t*)t, NUM_SHARES_C); + word_t t1 = MLOAD((uint32_t*)(t + 2), NUM_SHARES_C); + s->x[3] = MXOR(s->x[3], t0, NUM_SHARES_C); + s->x[4] = MXOR(s->x[4], t1, NUM_SHARES_C); + /* compute P(0) if tags are equal */ + P(s, ASCON_PB_ROUNDS, NUM_SHARES_KEY); + /* xor expected result to x3, x4 */ + s->x[3].s[0].w[0] ^= c[0]; + s->x[3].s[0].w[1] ^= c[1]; + s->x[4].s[0].w[0] ^= c[2]; + s->x[4].s[0].w[1] ^= c[3]; +} + +int ascon_iszero(state_t* s) { + uint32_t result = 0; + s->x[3] = MREDUCE(s->x[3], NUM_SHARES_KEY, 1); + s->x[4] = MREDUCE(s->x[4], NUM_SHARES_KEY, 1); + result ^= s->x[3].s[0].w[0]; + result ^= s->x[3].s[0].w[1]; + result ^= s->x[4].s[0].w[0]; + result ^= s->x[4].s[0].w[1]; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +void ascon_level_adata(state_t* s) { + s->x[0] = MREDUCE(s->x[0], NUM_SHARES_KEY, NUM_SHARES_AD); + s->x[1] = MREDUCE(s->x[1], NUM_SHARES_KEY, NUM_SHARES_AD); + s->x[2] = MREDUCE(s->x[2], NUM_SHARES_KEY, NUM_SHARES_AD); + s->x[3] = MREDUCE(s->x[3], NUM_SHARES_KEY, NUM_SHARES_AD); + s->x[4] = MREDUCE(s->x[4], NUM_SHARES_KEY, NUM_SHARES_AD); + s->x[5] = MREDUCE(s->x[5], NUM_SHARES_KEY, NUM_SHARES_AD); +} + +void ascon_level_encdec(state_t* s) { + s->x[0] = MEXPAND(s->x[0], NUM_SHARES_AD, NUM_SHARES_M); + s->x[1] = MEXPAND(s->x[1], NUM_SHARES_AD, NUM_SHARES_M); + s->x[2] = MEXPAND(s->x[2], NUM_SHARES_AD, NUM_SHARES_M); + s->x[3] = MEXPAND(s->x[3], NUM_SHARES_AD, NUM_SHARES_M); + s->x[4] = MEXPAND(s->x[4], NUM_SHARES_AD, NUM_SHARES_M); + s->x[5] = MEXPAND(s->x[5], NUM_SHARES_AD, NUM_SHARES_M); +} + +void ascon_level_final(state_t* s) { + s->x[0] = MEXPAND(s->x[0], NUM_SHARES_M, NUM_SHARES_KEY); + s->x[1] = MEXPAND(s->x[1], NUM_SHARES_M, NUM_SHARES_KEY); + s->x[2] = MEXPAND(s->x[2], NUM_SHARES_M, NUM_SHARES_KEY); + s->x[3] = MEXPAND(s->x[3], NUM_SHARES_M, NUM_SHARES_KEY); + s->x[4] = MEXPAND(s->x[4], NUM_SHARES_M, NUM_SHARES_KEY); + s->x[5] = MEXPAND(s->x[5], NUM_SHARES_M, NUM_SHARES_KEY); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/endian.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/forceinline.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constbranch b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constindex b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_emsca b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_emsca new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_emsca diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_1st b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_1st new file mode 100644 index 0000000..b7fd1b9 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_1st @@ -0,0 +1,2 @@ +key using 3 rotated shares +key using 2 rotated shares (on certain devices) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_2nd b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_2nd new file mode 100644 index 0000000..c0abbba --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/goal_powersca_2nd @@ -0,0 +1 @@ +using 3 rotated shares (on certain devices) diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/implementors b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.c new file mode 100644 index 0000000..a7059e6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.c @@ -0,0 +1,6 @@ +#include "interleave.h" + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } +uint64_t FROMBI(uint64_t in) { return interleave32(in); } diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.h new file mode 100644 index 0000000..e3f2d6d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/interleave.h @@ -0,0 +1,70 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "forceinline.h" + +#define BD(e, o, lo, hi) \ + do { \ + uint64_t tmp = TOBI((uint64_t)(hi) << 32 | (lo)); \ + e = (uint32_t)tmp; \ + o = tmp >> 32; \ + } while (0) + +#define BI(lo, hi, e, o) \ + do { \ + uint64_t tmp = FROMBI((uint64_t)(o) << 32 | (e)); \ + lo = (uint32_t)tmp; \ + hi = tmp >> 32; \ + } while (0) + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return (uint64_t)hi << 32 | lo; +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.c new file mode 100644 index 0000000..1a34405 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.c @@ -0,0 +1,20 @@ +#include "permutations.h" + +#include "api.h" +#include "round.h" + +#if NUM_SHARES_KEY == 1 || NUM_SHARES_AD == 1 || NUM_SHARES_MC == 1 +void P1(state_t* s, int nr) { PROUNDS(s, nr, 1); } +#endif + +#if NUM_SHARES_KEY == 2 || NUM_SHARES_AD == 2 || NUM_SHARES_MC == 2 +void P2(state_t* s, int nr) { PROUNDS(s, nr, 2); } +#endif + +#if NUM_SHARES_KEY == 3 || NUM_SHARES_AD == 3 || NUM_SHARES_MC == 3 +void P3(state_t* s, int nr) { PROUNDS(s, nr, 3); } +#endif + +#if NUM_SHARES_KEY == 4 || NUM_SHARES_AD == 4 || NUM_SHARES_MC == 4 +void P4(state_t* s, int nr) { PROUNDS(s, nr, 4); } +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.h new file mode 100644 index 0000000..ad11003 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/permutations.h @@ -0,0 +1,18 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include "ascon.h" + +void P1(state_t* s, int nr); +void P2(state_t* s, int nr); +void P3(state_t* s, int nr); +void P4(state_t* s, int nr); + +forceinline void P(state_t* s, int nr, int ns) { + if (ns == 1) P1(s, nr); + if (ns == 2) P2(s, nr); + if (ns == 3) P3(s, nr); + if (ns == 4) P4(s, nr); +} + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.c new file mode 100644 index 0000000..9bc0f3a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.c @@ -0,0 +1,45 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +#include "ascon.h" +#include "shares.h" +#include "word.h" + +void printword(const char* text, const word_t x, int ns) { + uint32_t lo, hi, e = 0, o = 0; + for (int d = 0; d < ns; ++d) { + e ^= ROR32(x.s[d].w[0], ROT(d)); + o ^= ROR32(x.s[d].w[1], ROT(d)); + } + BI(lo, hi, e, o); + printf("%s=%016" PRIx64, text, (uint64_t)hi << 32 | lo); +#ifdef ASCON_PRINTBI32 + printf(" (%08x_%08x)", o, e); +#endif +} + +void printstate(const char* text, const state_t* s, int ns) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0], ns); + printword(" x1", s->x[1], ns); + printword(" x2", s->x[2], ns); + printword(" x3", s->x[3], ns); + printword(" x4", s->x[4], ns); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.h new file mode 100644 index 0000000..a68f067 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const word_t x, int ns); +void printstate(const char* text, const state_t* si, int ns); + +#else + +#define printword(text, w, ns) \ + do { \ + } while (0) + +#define printstate(text, s, ns) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/round.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/round.h new file mode 100644 index 0000000..ee37ab1 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/round.h @@ -0,0 +1,99 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "constants.h" +#include "printstate.h" + +forceinline state_t AFFINE1(state_t s, int i, int d) { + s.x[2].s[d].w[i] ^= s.x[1].s[d].w[i]; + s.x[0].s[d].w[i] ^= s.x[4].s[d].w[i]; + s.x[4].s[d].w[i] ^= s.x[3].s[d].w[i]; + return s; +} + +forceinline state_t AFFINE2(state_t s, int i, int d) { + s.x[2].s[d].w[i] ^= s.x[5].s[d].w[i]; + s.x[1].s[d].w[i] ^= s.x[0].s[d].w[i]; + s.x[0].s[d].w[i] ^= s.x[4].s[d].w[i]; + s.x[3].s[d].w[i] ^= s.x[2].s[d].w[i]; + return s; +} + +forceinline state_t SBOX(state_t s, int i, int ns) { + /* affine layer 1 */ + if (ns >= 1) s = AFFINE1(s, i, 0); + if (ns >= 2) s = AFFINE1(s, i, 1); + if (ns >= 3) s = AFFINE1(s, i, 2); + if (ns >= 4) s = AFFINE1(s, i, 3); + /* Toffoli gates */ + s.x[5] = MXORBIC(s.x[5], s.x[4], s.x[3], i, ns); + s.x[4] = MXORBIC(s.x[4], s.x[1], s.x[0], i, ns); + s.x[1] = MXORBIC(s.x[1], s.x[3], s.x[2], i, ns); + s.x[3] = MXORBIC(s.x[3], s.x[0], s.x[4], i, ns); + s.x[0] = MXORBIC(s.x[0], s.x[2], s.x[1], i, ns); + /* affine layer 2 */ + if (ns >= 1) s = AFFINE2(s, i, 0); + s.x[2].s[0].w[i] = ~s.x[2].s[0].w[i]; + if (ns >= 2) s = AFFINE2(s, i, 1); + if (ns >= 3) s = AFFINE2(s, i, 2); + if (ns >= 4) s = AFFINE2(s, i, 3); + return s; +} + +forceinline state_t LINEAR(state_t s, int d) { + state_t t; + t.x[0].s[d].w[0] = s.x[0].s[d].w[0] ^ ROR32(s.x[0].s[d].w[1], 4); + t.x[0].s[d].w[1] = s.x[0].s[d].w[1] ^ ROR32(s.x[0].s[d].w[0], 5); + t.x[1].s[d].w[0] = s.x[1].s[d].w[0] ^ ROR32(s.x[1].s[d].w[0], 11); + t.x[1].s[d].w[1] = s.x[1].s[d].w[1] ^ ROR32(s.x[1].s[d].w[1], 11); + t.x[2].s[d].w[0] = s.x[2].s[d].w[0] ^ ROR32(s.x[2].s[d].w[1], 2); + t.x[2].s[d].w[1] = s.x[2].s[d].w[1] ^ ROR32(s.x[2].s[d].w[0], 3); + t.x[3].s[d].w[0] = s.x[3].s[d].w[0] ^ ROR32(s.x[3].s[d].w[1], 3); + t.x[3].s[d].w[1] = s.x[3].s[d].w[1] ^ ROR32(s.x[3].s[d].w[0], 4); + t.x[4].s[d].w[0] = s.x[4].s[d].w[0] ^ ROR32(s.x[4].s[d].w[0], 17); + t.x[4].s[d].w[1] = s.x[4].s[d].w[1] ^ ROR32(s.x[4].s[d].w[1], 17); + s.x[0].s[d].w[0] ^= ROR32(t.x[0].s[d].w[1], 9); + s.x[0].s[d].w[1] ^= ROR32(t.x[0].s[d].w[0], 10); + s.x[1].s[d].w[0] ^= ROR32(t.x[1].s[d].w[1], 19); + s.x[1].s[d].w[1] ^= ROR32(t.x[1].s[d].w[0], 20); + s.x[2].s[d].w[0] ^= ROR32(t.x[2].s[d].w[1], 0); + s.x[2].s[d].w[1] ^= ROR32(t.x[2].s[d].w[0], 1); + s.x[3].s[d].w[0] ^= ROR32(t.x[3].s[d].w[0], 5); + s.x[3].s[d].w[1] ^= ROR32(t.x[3].s[d].w[1], 5); + s.x[4].s[d].w[0] ^= ROR32(t.x[4].s[d].w[1], 3); + s.x[4].s[d].w[1] ^= ROR32(t.x[4].s[d].w[0], 4); + return s; +} + +forceinline void ROUND_(state_t* p, uint8_t C_o, uint8_t C_e, int ns) { + state_t s = *p; + /* constant and sbox layer*/ + s.x[2].s[0].w[0] ^= C_e; + s = SBOX(s, 0, ns); + s.x[2].s[0].w[1] ^= C_o; + s = SBOX(s, 1, ns); + /* reuse rotated randomness */ + s.x[5] = MREUSE(s.x[5], 0, ns); + /* linear layer*/ + if (ns >= 4) s = LINEAR(s, 3); + if (ns >= 3) s = LINEAR(s, 2); + if (ns >= 2) s = LINEAR(s, 1); + if (ns >= 1) s = LINEAR(s, 0); + *p = s; + printstate(" round output", &s, ns); +} + +forceinline void ROUND(state_t* p, uint64_t C, int ns) { + ROUND_(p, C >> 32, C, ns); +} + +forceinline void PROUNDS(state_t* s, int nr, int ns) { + int i = START(nr); + do { + ROUND_(s, RC(i), ns); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.c b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.c new file mode 100644 index 0000000..ae090bb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.c @@ -0,0 +1,160 @@ + +#include "shares.h" + +#include +#include + +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR64(uint64_t x, int n) { + return x >> n | x << (-n & 63); +} + +void generate_shares(uint32_t* s, int num_shares, const uint8_t* data, + uint64_t len); + +void combine_shares(uint8_t* data, uint64_t len, const uint32_t* s, + int num_shares); + +void generate_shares_encrypt(const unsigned char* m, mask_m_uint32_t* ms, + const unsigned long long mlen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks) { + generate_shares((uint32_t*)ks, NUM_SHARES_KEY, k, CRYPTO_KEYBYTES); + generate_shares((uint32_t*)npubs, NUM_SHARES_NPUB, npub, CRYPTO_NPUBBYTES); + generate_shares((uint32_t*)ads, NUM_SHARES_AD, ad, adlen); + generate_shares((uint32_t*)ms, NUM_SHARES_M, m, mlen); +} + +void generate_shares_decrypt(const unsigned char* c, mask_c_uint32_t* cs, + const unsigned long long clen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks) { + unsigned long long mlen = clen - CRYPTO_ABYTES; + mask_c_uint32_t* ts = cs + NUM_WORDS(mlen); + generate_shares((uint32_t*)ks, NUM_SHARES_KEY, k, CRYPTO_KEYBYTES); + generate_shares((uint32_t*)npubs, NUM_SHARES_NPUB, npub, CRYPTO_NPUBBYTES); + generate_shares((uint32_t*)ads, NUM_SHARES_AD, ad, adlen); + generate_shares((uint32_t*)cs, NUM_SHARES_C, c, mlen); + generate_shares((uint32_t*)ts, NUM_SHARES_C, c + mlen, CRYPTO_ABYTES); +} + +void combine_shares_encrypt(const mask_c_uint32_t* cs, unsigned char* c, + unsigned long long clen) { + unsigned long long mlen = clen - CRYPTO_ABYTES; + const mask_c_uint32_t* ts = cs + NUM_WORDS(mlen); + combine_shares(c, mlen, (uint32_t*)cs, NUM_SHARES_C); + combine_shares(c + mlen, CRYPTO_ABYTES, (uint32_t*)ts, NUM_SHARES_C); +} + +void combine_shares_decrypt(const mask_m_uint32_t* ms, unsigned char* m, + unsigned long long mlen) { + combine_shares(m, mlen, (uint32_t*)ms, NUM_SHARES_M); +} + +void generate_shares(uint32_t* s, int num_shares, const uint8_t* data, + uint64_t len) { + uint32_t rnd0, rnd1; + uint64_t rnd, i; + /* generate random shares */ + for (i = 0; i < NUM_WORDS(len); i += 2) { + s[(i + 0) * num_shares + 0] = 0; + s[(i + 1) * num_shares + 0] = 0; + for (int d = 1; d < num_shares; ++d) { + RND(rnd0); + RND(rnd1); + s[(i + 0) * num_shares + d] = rnd0; + s[(i + 1) * num_shares + d] = rnd1; +#if ASCON_EXTERN_BI + s[(i + 0) * num_shares + 0] ^= ROR32(rnd0, ROT(d)); + s[(i + 1) * num_shares + 0] ^= ROR32(rnd1, ROT(d)); +#else + rnd = ROR64((uint64_t)rnd1 << 32 | rnd0, ROT(2 * d)); + s[(i + 0) * num_shares + 0] ^= (uint32_t)rnd; + s[(i + 1) * num_shares + 0] ^= (uint32_t)(rnd >> 32); +#endif + } + } + /* mask complete words */ + for (i = 0; i < len / 8; ++i) { + uint64_t x; + memcpy(&x, data + i * 8, 8); + x = U64BIG(x); +#if ASCON_EXTERN_BI + x = TOBI(x); +#endif + s[(2 * i + 0) * num_shares + 0] ^= (uint32_t)x; + s[(2 * i + 1) * num_shares + 0] ^= (uint32_t)(x >> 32); + } + /* mask remaining bytes */ + if ((len / 8 * 8) != len) { + uint64_t x = 0; + for (i = (len / 8) * 8; i < len; ++i) { + x ^= (uint64_t)data[i] << ((i % 8) * 8); + } + x = U64BIG(x); +#if ASCON_EXTERN_BI + x = TOBI(x); +#endif + s[(2 * (len / 8) + 0) * num_shares + 0] ^= (uint32_t)x; + s[(2 * (len / 8) + 1) * num_shares + 0] ^= (uint32_t)(x >> 32); + } +} + +void combine_shares(uint8_t* data, uint64_t len, const uint32_t* s, + int num_shares) { + uint32_t rnd0, rnd1; + uint64_t i; + /* unmask complete words */ + for (i = 0; i < len / 8; ++i) { + uint64_t x = 0; + for (int d = 0; d < num_shares; ++d) { + rnd0 = s[(2 * i + 0) * num_shares + d]; + rnd1 = s[(2 * i + 1) * num_shares + d]; +#if ASCON_EXTERN_BI + x ^= (uint64_t)ROR32(rnd0, ROT(d)); + x ^= (uint64_t)ROR32(rnd1, ROT(d)) << 32; +#else + x ^= ROR64((uint64_t)rnd1 << 32 | rnd0, ROT(2 * d)); +#endif + } +#if ASCON_EXTERN_BI + x = FROMBI(x); +#endif + x = U64BIG(x); + memcpy(data + i * 8, &x, 8); + } + /* unmask remaining bytes */ + if ((len / 8 * 8) != len) { + uint64_t x = 0; + for (int d = 0; d < num_shares; ++d) { + rnd0 = s[(2 * (len / 8) + 0) * num_shares + d]; + rnd1 = s[(2 * (len / 8) + 1) * num_shares + d]; +#if ASCON_EXTERN_BI + x ^= (uint64_t)ROR32(rnd0, ROT(d)); + x ^= (uint64_t)ROR32(rnd1, ROT(d)) << 32; +#else + x ^= ROR64((uint64_t)rnd1 << 32 | rnd0, ROT(2 * d)); +#endif + } +#if ASCON_EXTERN_BI + x = FROMBI(x); +#endif + x = U64BIG(x); + for (i = (len / 8) * 8; i < len; ++i) { + data[i] = x >> ((i % 8) * 8); + } + } +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.h new file mode 100644 index 0000000..af21b0b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/shares.h @@ -0,0 +1,56 @@ +#ifndef SHARES_H_ +#define SHARES_H_ + +#include + +#include "api.h" +#include "config.h" +#include "randombytes.h" + +#define NUM_WORDS(len) ((((len) + 7) / 8) * 2) +#define ROT(i) (((i) * (ASCON_ROR_SHARES)) & 31) +#define RND(rnd) randombytes((unsigned char*)&rnd, 4) + +typedef struct { + uint32_t shares[NUM_SHARES_M]; +} mask_m_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_C]; +} mask_c_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_AD]; +} mask_ad_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_NPUB]; +} mask_npub_uint32_t; + +typedef struct { + uint32_t shares[NUM_SHARES_KEY]; +} mask_key_uint32_t; + +void generate_shares_encrypt(const unsigned char* m, mask_m_uint32_t* ms, + const unsigned long long mlen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks); + +void generate_shares_decrypt(const unsigned char* c, mask_c_uint32_t* cs, + const unsigned long long clen, + const unsigned char* ad, mask_ad_uint32_t* ads, + const unsigned long long adlen, + const unsigned char* npub, + mask_npub_uint32_t* npubs, const unsigned char* k, + mask_key_uint32_t* ks); + +void combine_shares_encrypt(const mask_c_uint32_t* cs, unsigned char* c, + unsigned long long clen); + +void combine_shares_decrypt(const mask_m_uint32_t* ms, unsigned char* m, + unsigned long long mlen); + +#endif /* SHARES_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/word.h b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/word.h new file mode 100644 index 0000000..9360136 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/protected_bi32_armv6_leveled/word.h @@ -0,0 +1,236 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "asm.h" +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" +#include "shares.h" + +typedef struct { + uint32_t w[2]; +} share_t; + +typedef struct { + share_t s[NUM_SHARES_KEY]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR32x2(uint64_t x, int n) { + uint32_t lo = x; + uint32_t hi = x >> 32; + lo = ROR32(lo, n); + hi = ROR32(hi, n); + return (uint64_t)hi << 32 | lo; +} + +forceinline uint64_t ROR64(uint64_t x, int n) { + return x >> n | x << (-n & 63); +} + +forceinline word_t MXOR(word_t a, word_t b, int ns) { + if (ns >= 1) a.s[0].w[0] ^= b.s[0].w[0]; + if (ns >= 1) a.s[0].w[1] ^= b.s[0].w[1]; + if (ns >= 2) a.s[1].w[0] ^= b.s[1].w[0]; + if (ns >= 2) a.s[1].w[1] ^= b.s[1].w[1]; + if (ns >= 3) a.s[2].w[0] ^= b.s[2].w[0]; + if (ns >= 3) a.s[2].w[1] ^= b.s[2].w[1]; + if (ns >= 4) a.s[3].w[0] ^= b.s[3].w[0]; + if (ns >= 4) a.s[3].w[1] ^= b.s[3].w[1]; + return a; +} + +forceinline word_t MXORBIC(word_t c, word_t a, word_t b, int i, int ns) { + uint32_t tmp; + if (ns == 1) { + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + } + if (ns == 2) { + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + EOR_BIC_ROR(c.s[1].w[i], a.s[1].w[i], b.s[0].w[i], 0 - 1, tmp); + CLEAR(); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[1].w[i], 0, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[1].w[i], 1 - 0, tmp); + CLEAR(); + } + if (ns == 3) { + EOR_AND_ROR(c.s[0].w[i], b.s[0].w[i], a.s[1].w[i], 1 - 0, tmp); + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + EOR_AND_ROR(c.s[0].w[i], b.s[0].w[i], a.s[2].w[i], 2 - 0, tmp); + EOR_AND_ROR(c.s[1].w[i], b.s[1].w[i], a.s[2].w[i], 2 - 1, tmp); + EOR_BIC_ROR(c.s[1].w[i], a.s[1].w[i], b.s[1].w[i], 0, tmp); + EOR_AND_ROR(c.s[1].w[i], b.s[1].w[i], a.s[0].w[i], 0 - 1, tmp); + EOR_BIC_ROR(c.s[2].w[i], b.s[2].w[i], a.s[0].w[i], 0 - 2, tmp); + EOR_ORR_ROR(c.s[2].w[i], a.s[2].w[i], b.s[2].w[i], 0, tmp); + EOR_AND_ROR(c.s[2].w[i], b.s[2].w[i], a.s[1].w[i], 1 - 2, tmp); + } + if (ns == 4) { + EOR_BIC_ROR(c.s[0].w[i], a.s[0].w[i], b.s[0].w[i], 0, tmp); + EOR_BIC_ROR(c.s[1].w[i], a.s[1].w[i], b.s[0].w[i], 0 - 1, tmp); + EOR_BIC_ROR(c.s[2].w[i], a.s[2].w[i], b.s[0].w[i], 0 - 2, tmp); + EOR_BIC_ROR(c.s[3].w[i], a.s[3].w[i], b.s[0].w[i], 0 - 3, tmp); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[1].w[i], 0, tmp); + EOR_AND_ROR(c.s[2].w[i], a.s[2].w[i], b.s[1].w[i], 1 - 2, tmp); + EOR_AND_ROR(c.s[3].w[i], a.s[3].w[i], b.s[1].w[i], 1 - 3, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[1].w[i], 1 - 0, tmp); + EOR_AND_ROR(c.s[2].w[i], a.s[2].w[i], b.s[2].w[i], 0, tmp); + EOR_AND_ROR(c.s[3].w[i], a.s[3].w[i], b.s[2].w[i], 2 - 3, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[2].w[i], 2 - 0, tmp); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[2].w[i], 2 - 1, tmp); + EOR_AND_ROR(c.s[3].w[i], a.s[3].w[i], b.s[3].w[i], 0, tmp); + EOR_AND_ROR(c.s[0].w[i], a.s[0].w[i], b.s[3].w[i], 3 - 0, tmp); + EOR_AND_ROR(c.s[1].w[i], a.s[1].w[i], b.s[3].w[i], 3 - 1, tmp); + EOR_AND_ROR(c.s[2].w[i], a.s[2].w[i], b.s[3].w[i], 3 - 2, tmp); + } + return c; +} + +forceinline word_t MXORAND(word_t c, word_t a, word_t b, int ns) { + b.s[0].w[0] = ~b.s[0].w[0]; + b.s[0].w[1] = ~b.s[0].w[1]; + c = MXORBIC(c, a, b, 0, ns); + c = MXORBIC(c, a, b, 1, ns); + return c; +} + +forceinline word_t MRND(int ns) { + word_t w; + if (ns >= 2) RND(w.s[1].w[0]); + if (ns >= 2) RND(w.s[1].w[1]); + if (ns >= 3) RND(w.s[2].w[0]); + if (ns >= 3) RND(w.s[2].w[1]); + if (ns >= 4) RND(w.s[3].w[0]); + if (ns >= 4) RND(w.s[3].w[1]); + return w; +} + +forceinline word_t MMIX(word_t w, int ns) { + if (ns >= 2) w.s[1].w[0] = ROR32(w.s[1].w[0], 7); + if (ns >= 2) w.s[1].w[1] = ROR32(w.s[1].w[1], 7); + if (ns >= 3) w.s[2].w[0] = ROR32(w.s[2].w[0], 13); + if (ns >= 3) w.s[2].w[1] = ROR32(w.s[2].w[1], 13); + if (ns >= 4) w.s[3].w[0] = ROR32(w.s[3].w[0], 29); + if (ns >= 4) w.s[3].w[1] = ROR32(w.s[3].w[1], 29); + return w; +} + +forceinline word_t MREDUCE(word_t w, int nsi, int nso) { + if (nsi >= 2 && nso < 2) w.s[0].w[0] ^= ROR32(w.s[1].w[0], ROT(1)); + if (nsi >= 2 && nso < 2) w.s[0].w[1] ^= ROR32(w.s[1].w[1], ROT(1)); + if (nsi >= 3 && nso < 3) w.s[0].w[0] ^= ROR32(w.s[2].w[0], ROT(2)); + if (nsi >= 3 && nso < 3) w.s[0].w[1] ^= ROR32(w.s[2].w[1], ROT(2)); + if (nsi >= 4 && nso < 4) w.s[0].w[0] ^= ROR32(w.s[3].w[0], ROT(3)); + if (nsi >= 4 && nso < 4) w.s[0].w[1] ^= ROR32(w.s[3].w[1], ROT(3)); + return w; +} + +forceinline word_t MEXPAND(word_t w, int nsi, int nso) { + return MREDUCE(w, nso, nsi); +} + +forceinline word_t MREUSE(word_t w, uint64_t val, int ns) { + w.s[0].w[0] = (uint32_t)val; + w.s[0].w[1] = val >> 32; + w = MMIX(w, ns); + w = MEXPAND(w, 1, ns); + return w; +} + +forceinline word_t MZERO(int ns) { + word_t w; + w = MRND(ns); + w = MREUSE(w, 0, ns); + return w; +} + +forceinline word_t MMASK(word_t w, int n) { + uint32_t mask = 0xffffffff >> (n * 4); + w.s[0].w[0] ^= mask; + w.s[0].w[1] ^= mask; + return w; +} + +forceinline word_t MREFRESH(word_t w, int ns) { + word_t r = MZERO(ns); + return MXOR(w, r, ns); +} + +forceinline int MNOTZERO(word_t a, word_t b, int ns) { + word_t c = MZERO(ns); + /* note: OR(a,b) = ~BIC(~a,b) */ + a.s[0].w[0] = ~a.s[0].w[0]; + a.s[0].w[1] = ~a.s[0].w[1]; + /* OR first and second 64-bit word */ + c = MXORBIC(c, a, b, 0, ns); + c = MXORBIC(c, a, b, 1, ns); + /* OR even and odd words */ + if (ns >= 1) b.s[0].w[0] = c.s[0].w[1]; + if (ns >= 2) b.s[1].w[0] = c.s[1].w[1]; + if (ns >= 3) b.s[2].w[0] = c.s[2].w[1]; + if (ns >= 4) b.s[3].w[0] = c.s[3].w[1]; + a = MXORBIC(a, b, c, 0, ns); + /* loop to OR 16/8/4/2/1 bit chunks */ + for (int i = 16; i > 0; i >>= 1) { + if (ns >= 1) b.s[0].w[0] = ROR32(a.s[0].w[0], i); + if (ns >= 2) b.s[1].w[0] = ROR32(a.s[1].w[0], i); + if (ns >= 3) b.s[2].w[0] = ROR32(a.s[2].w[0], i); + if (ns >= 4) b.s[3].w[0] = ROR32(a.s[3].w[0], i); + c = MXORBIC(c, a, b, 0, ns); + if (ns >= 1) a.s[0].w[0] = c.s[0].w[0]; + if (ns >= 2) a.s[1].w[0] = c.s[1].w[0]; + if (ns >= 3) a.s[2].w[0] = c.s[2].w[0]; + if (ns >= 4) a.s[3].w[0] = c.s[3].w[0]; + } + /* unmask result */ + if (ns >= 2) a.s[0].w[0] ^= ROR32(a.s[1].w[0], ROT(1)); + if (ns >= 3) a.s[0].w[0] ^= ROR32(a.s[2].w[0], ROT(2)); + if (ns >= 4) a.s[0].w[0] ^= ROR32(a.s[3].w[0], ROT(3)); + return ~a.s[0].w[0]; +} + +forceinline share_t LOADSHARE(uint32_t* data, int ns) { + share_t s; +#if !ASCON_EXTERN_BI + BD(s.w[0], s.w[1], data[0], data[ns]); + if (ns == 2) CLEAR(); +#else + s.w[0] = data[0]; + s.w[1] = data[ns]; +#endif + return s; +} + +forceinline void STORESHARE(uint32_t* data, share_t s, int ns) { +#if !ASCON_EXTERN_BI + BI(data[0], data[ns], s.w[0], s.w[1]); + if (ns == 2) CLEAR(); +#else + data[0] = s.w[0]; + data[ns] = s.w[1]; +#endif +} + +forceinline word_t MLOAD(uint32_t* data, int ns) { + word_t w = {0}; + if (ns >= 1) w.s[0] = LOADSHARE(&(data[0]), ns); + if (ns >= 2) w.s[1] = LOADSHARE(&(data[1]), ns); + if (ns >= 3) w.s[2] = LOADSHARE(&(data[2]), ns); + if (ns >= 4) w.s[3] = LOADSHARE(&(data[3]), ns); + return w; +} + +forceinline void MSTORE(uint32_t* data, word_t w, int ns) { + if (ns >= 1) STORESHARE(&(data[0]), w.s[0], ns); + if (ns >= 2) STORESHARE(&(data[1]), w.s[1], ns); + if (ns >= 3) STORESHARE(&(data[2]), w.s[2], ns); + if (ns >= 4) STORESHARE(&(data[3]), w.s[3], ns); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/api.h b/ascon/Implementations/crypto_aead/ascon128v12/ref/api.h index bc90a81..2c7f738 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/api.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/ref/ascon.h index c998868..78a7c27 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/ascon.h @@ -4,7 +4,7 @@ #include typedef struct { - uint64_t x0, x1, x2, x3, x4; + uint64_t x[5]; } state_t; -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/constants.h b/ascon/Implementations/crypto_aead/ascon128v12/ref/constants.h new file mode 100644 index 0000000..dc3d36d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV \ + (((uint64_t)(ASCON_128_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) + +#define ASCON_128A_IV \ + (((uint64_t)(ASCON_128A_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128A_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128A_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128A_PB_ROUNDS) << 32)) + +#define ASCON_80PQ_IV \ + (((uint64_t)(ASCON_80PQ_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) + +#define ASCON_HASH_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32) | \ + ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) + +#define ASCON_HASHA_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32) | \ + ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) + +#define ASCON_XOF_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32)) + +#define ASCON_XOFA_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32)) + +#define ASCON_PRF_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_PRF_OUT_RATE * 8) << 48) | \ + ((uint64_t)(0x80 | ASCON_PRF_PA_ROUNDS) << 40)) + +#define ASCON_MAC_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_PRF_OUT_RATE * 8) << 48) | \ + ((uint64_t)(0x80 | ASCON_PRF_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_PRF_BYTES * 8) << 0)) + +#define ASCON_PRFS_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(0x40 | ASCON_PRF_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_PRF_BYTES * 8) << 32)) + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/ref/encrypt.c index 01c6098..d911703 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/encrypt.c @@ -23,60 +23,158 @@ int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, /* initialize */ state_t s; - s.x0 = ASCON_128_IV; - s.x1 = K0; - s.x2 = K1; - s.x3 = N0; - s.x4 = N1; + s.x[0] = ASCON_128_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); P12(&s); - s.x3 ^= K0; - s.x4 ^= K1; - printstate("initialization", &s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); if (adlen) { /* full associated data blocks */ while (adlen >= ASCON_128_RATE) { - s.x0 ^= LOADBYTES(ad, 8); + s.x[0] ^= LOADBYTES(ad, 8); + printstate("absorb adata", &s); P6(&s); ad += ASCON_128_RATE; adlen -= ASCON_128_RATE; } /* final associated data block */ - s.x0 ^= LOADBYTES(ad, adlen); - s.x0 ^= PAD(adlen); + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + printstate("pad adata", &s); P6(&s); } /* domain separation */ - s.x4 ^= 1; - printstate("process associated data", &s); + s.x[4] ^= 1; + printstate("domain separation", &s); /* full plaintext blocks */ while (mlen >= ASCON_128_RATE) { - s.x0 ^= LOADBYTES(m, 8); - STOREBYTES(c, s.x0, 8); + s.x[0] ^= LOADBYTES(m, 8); + STOREBYTES(c, s.x[0], 8); + printstate("absorb plaintext", &s); P6(&s); m += ASCON_128_RATE; c += ASCON_128_RATE; mlen -= ASCON_128_RATE; } /* final plaintext block */ - s.x0 ^= LOADBYTES(m, mlen); - STOREBYTES(c, s.x0, mlen); - s.x0 ^= PAD(mlen); + s.x[0] ^= LOADBYTES(m, mlen); + STOREBYTES(c, s.x[0], mlen); + s.x[0] ^= PAD(mlen); c += mlen; - printstate("process plaintext", &s); + printstate("pad plaintext", &s); /* finalize */ - s.x1 ^= K0; - s.x2 ^= K1; + s.x[1] ^= K0; + s.x[2] ^= K1; + printstate("final 1st key xor", &s); P12(&s); - s.x3 ^= K0; - s.x4 ^= K1; - printstate("finalization", &s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); /* set tag */ - STOREBYTES(c, s.x3, 8); - STOREBYTES(c + 8, s.x4, 8); + STOREBYTES(c, s.x[3], 8); + STOREBYTES(c + 8, s.x[4], 8); return 0; } + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + + if (clen < CRYPTO_ABYTES) return -1; + + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + + /* load key and nonce */ + const uint64_t K0 = LOADBYTES(k, 8); + const uint64_t K1 = LOADBYTES(k + 8, 8); + const uint64_t N0 = LOADBYTES(npub, 8); + const uint64_t N1 = LOADBYTES(npub + 8, 8); + + /* initialize */ + state_t s; + s.x[0] = ASCON_128_IV; + s.x[1] = K0; + s.x[2] = K1; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("init 2nd key xor", &s); + + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_128_RATE) { + s.x[0] ^= LOADBYTES(ad, 8); + printstate("absorb adata", &s); + P6(&s); + ad += ASCON_128_RATE; + adlen -= ASCON_128_RATE; + } + /* final associated data block */ + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + printstate("pad adata", &s); + P6(&s); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + + /* full ciphertext blocks */ + clen -= CRYPTO_ABYTES; + while (clen >= ASCON_128_RATE) { + uint64_t c0 = LOADBYTES(c, 8); + STOREBYTES(m, s.x[0] ^ c0, 8); + s.x[0] = c0; + printstate("insert ciphertext", &s); + P6(&s); + m += ASCON_128_RATE; + c += ASCON_128_RATE; + clen -= ASCON_128_RATE; + } + /* final ciphertext block */ + uint64_t c0 = LOADBYTES(c, clen); + STOREBYTES(m, s.x[0] ^ c0, clen); + s.x[0] = CLEARBYTES(s.x[0], clen); + s.x[0] |= c0; + s.x[0] ^= PAD(clen); + c += clen; + printstate("pad ciphertext", &s); + + /* finalize */ + s.x[1] ^= K0; + s.x[2] ^= K1; + printstate("final 1st key xor", &s); + P12(&s); + s.x[3] ^= K0; + s.x[4] ^= K1; + printstate("final 2nd key xor", &s); + + /* set tag */ + uint8_t t[16]; + STOREBYTES(t, s.x[3], 8); + STOREBYTES(t + 8, s.x[4], 8); + + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= c[i] ^ t[i]; + result = (((result - 1) >> 8) & 1) - 1; + + return result; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/permutations.h b/ascon/Implementations/crypto_aead/ascon128v12/ref/permutations.h index ff5724d..3b9b892 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/permutations.h @@ -4,73 +4,11 @@ #include #include "ascon.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV \ - (((uint64_t)(ASCON_128_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) - -#define ASCON_128A_IV \ - (((uint64_t)(ASCON_128A_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128A_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128A_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128A_PB_ROUNDS) << 32)) - -#define ASCON_80PQ_IV \ - (((uint64_t)(ASCON_80PQ_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) - -#define ASCON_HASH_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32) | \ - ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) - -#define ASCON_HASHA_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32) | \ - ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) - -#define ASCON_XOF_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32)) - -#define ASCON_XOFA_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32)) - static inline void P12(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0xf0); ROUND(s, 0xe1); ROUND(s, 0xd2); @@ -86,7 +24,6 @@ static inline void P12(state_t* s) { } static inline void P8(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0xb4); ROUND(s, 0xa5); ROUND(s, 0x96); @@ -98,7 +35,6 @@ static inline void P8(state_t* s) { } static inline void P6(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0x96); ROUND(s, 0x87); ROUND(s, 0x78); diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.c b/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.h b/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/round.h b/ascon/Implementations/crypto_aead/ascon128v12/ref/round.h index 64ad619..879e895 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/round.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/round.h @@ -5,36 +5,36 @@ #include "printstate.h" static inline uint64_t ROR(uint64_t x, int n) { - return (x << (64 - n)) | (x >> n); + return x >> n | x << (-n & 63); } static inline void ROUND(state_t* s, uint8_t C) { state_t t; /* addition of round constant */ - s->x2 ^= C; + s->x[2] ^= C; /* printstate(" round constant", s); */ /* substitution layer */ - s->x0 ^= s->x4; - s->x4 ^= s->x3; - s->x2 ^= s->x1; + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; /* start of keccak s-box */ - t.x0 = s->x0 ^ (~s->x1 & s->x2); - t.x1 = s->x1 ^ (~s->x2 & s->x3); - t.x2 = s->x2 ^ (~s->x3 & s->x4); - t.x3 = s->x3 ^ (~s->x4 & s->x0); - t.x4 = s->x4 ^ (~s->x0 & s->x1); + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); /* end of keccak s-box */ - t.x1 ^= t.x0; - t.x0 ^= t.x4; - t.x3 ^= t.x2; - t.x2 = ~t.x2; + t.x[1] ^= t.x[0]; + t.x[0] ^= t.x[4]; + t.x[3] ^= t.x[2]; + t.x[2] = ~t.x[2]; /* printstate(" substitution layer", &t); */ /* linear diffusion layer */ - s->x0 = t.x0 ^ ROR(t.x0, 19) ^ ROR(t.x0, 28); - s->x1 = t.x1 ^ ROR(t.x1, 61) ^ ROR(t.x1, 39); - s->x2 = t.x2 ^ ROR(t.x2, 1) ^ ROR(t.x2, 6); - s->x3 = t.x3 ^ ROR(t.x3, 10) ^ ROR(t.x3, 17); - s->x4 = t.x4 ^ ROR(t.x4, 7) ^ ROR(t.x4, 41); + s->x[0] = t.x[0] ^ ROR(t.x[0], 19) ^ ROR(t.x[0], 28); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61) ^ ROR(t.x[1], 39); + s->x[2] = t.x[2] ^ ROR(t.x[2], 1) ^ ROR(t.x[2], 6); + s->x[3] = t.x[3] ^ ROR(t.x[3], 10) ^ ROR(t.x[3], 17); + s->x[4] = t.x[4] ^ ROR(t.x[4], 7) ^ ROR(t.x[4], 41); printstate(" round output", s); } diff --git a/ascon/Implementations/crypto_aead/ascon128v12/ref/word.h b/ascon/Implementations/crypto_aead/ascon128v12/ref/word.h index 4af47e3..3157950 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/ref/word.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/ref/word.h @@ -2,11 +2,9 @@ #define WORD_H_ #include +#include -#define WORDTOU64 -#define U64TOWORD - -typedef uint64_t word_t; +typedef uint64_t uint64_t; /* get byte from 64-bit Ascon word */ #define GETBYTE(x, i) ((uint8_t)((uint64_t)(x) >> (56 - 8 * (i)))) diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/config.h new file mode 100644 index 0000000..99d7b54 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/round.h new file mode 100644 index 0000000..cdc6a38 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/round.h @@ -0,0 +1,283 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/round.h new file mode 100644 index 0000000..cdc6a38 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/round.h @@ -0,0 +1,283 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/config.h new file mode 100644 index 0000000..0ac7395 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/round.h new file mode 100644 index 0000000..92b9712 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/round.h @@ -0,0 +1,347 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "push {%[tmp1]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "pop {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + "sub %[tmp1], %[tmp1], #15\n\t" + "cmp %[tmp1], #60\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "=l"(tmp0), [ tmp2 ] "=l"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp0], %[C]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C ] "ri"(C) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/round.h new file mode 100644 index 0000000..92b9712 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/round.h @@ -0,0 +1,347 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "push {%[tmp1]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "pop {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + "sub %[tmp1], %[tmp1], #15\n\t" + "cmp %[tmp1], #60\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "=l"(tmp0), [ tmp2 ] "=l"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp0], %[C]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp1], %[x1_l]\n\t" + "bic %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "and %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x1_l], %[x0_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x0_h], %[x2_l]\n\t" + "movs %[x1_h], %[x0_l]\n\t" + "movs %[x0_l], %[x2_h]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x3_h], %[x4_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "eor %[tmp2], %[tmp2], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "mvn %[tmp0], %[x1_l]\n\t" + "orr %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x4_l], %[x0_l]\n\t" + "bic %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x1_l], %[x1_l], %[x4_l]\n\t" + "mvn %[x4_l], %[tmp2]\n\t" + "orr %[x4_l], %[x4_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x4_l], %[x3_l]\n\t" + "bic %[x4_l], %[x4_l], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[x4_l]\n\t" + "movs %[x4_l], %[x2_l]\n\t" + "and %[x4_l], %[x4_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" + "movs %[x4_h], %[x2_l]\n\t" + "movs %[x2_l], %[x0_h]\n\t" + "movs %[x0_h], %[x1_l]\n\t" + "lsr %[x4_l], %[x0_l], #6\n\t" + "lsl %[x1_l], %[x2_l], #26\n\t" + "lsr %[tmp0], %[x2_l], #6\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #26\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x0_l], #1\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[x2_l], #31\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x2_l], #1\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x0_l], #31\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp0]\n\t" + "lsl %[x4_l], %[x3_l], #3\n\t" + "lsr %[x1_l], %[tmp1], #29\n\t" + "lsl %[tmp0], %[tmp1], #3\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #29\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[x3_l], #25\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp1], #7\n\t" + "eor %[x4_l], %[x4_l], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp1], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[x3_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[x3_l], %[x3_l], %[x4_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp0]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp2], #23\n\t" + "lsr %[x1_l], %[x4_l], #9\n\t" + "lsl %[tmp0], %[x4_l], #23\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #9\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsr %[x1_l], %[tmp2], #7\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsl %[x1_l], %[x4_l], #25\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "lsr %[x1_l], %[x4_l], #7\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "lsl %[x1_l], %[tmp2], #25\n\t" + "eor %[tmp0], %[tmp0], %[x1_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" + "movs %[x1_l], %[x3_h]\n\t" + "movs %[tmp1], %[x4_h]\n\t" + "movs %[x4_h], %[tmp2]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x2_h]\n\t" + "movs %[x2_h], %[x0_l]\n\t" + "lsr %[tmp2], %[tmp1], #17\n\t" + "lsl %[x0_l], %[x3_l], #15\n\t" + "lsr %[tmp0], %[x3_l], #17\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #15\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsr %[x0_l], %[tmp1], #10\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsl %[x0_l], %[x3_l], #22\n\t" + "eor %[tmp2], %[tmp2], %[x0_l]\n\t" + "lsr %[x0_l], %[x3_l], #10\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "lsl %[x0_l], %[tmp1], #22\n\t" + "eor %[tmp0], %[tmp0], %[x0_l]\n\t" + "eor %[tmp1], %[tmp1], %[tmp2]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[x0_l], %[x1_h]\n\t" + "movs %[x0_h], %[x4_l]\n\t" + "movs %[x1_h], %[x3_h]\n\t" + "movs %[x3_h], %[tmp1]\n\t" + "lsr %[x4_l], %[tmp0], #28\n\t" + "lsl %[tmp1], %[x0_l], #4\n\t" + "lsr %[tmp2], %[x0_l], #28\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #4\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsr %[tmp1], %[tmp0], #19\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsl %[tmp1], %[x0_l], #13\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "lsr %[tmp1], %[x0_l], #19\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "lsl %[tmp1], %[tmp0], #13\n\t" + "eor %[tmp2], %[tmp2], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[tmp0]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C ] "ri"(C) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv6m_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/config.h new file mode 100644 index 0000000..99d7b54 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 0 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/round.h new file mode 100644 index 0000000..f70ebf3 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/round.h @@ -0,0 +1,273 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "eor %[x2_l], %[x2_l], %[C]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + "sub %[C], #15\n\t" + "cmp %[C], #60\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + :); +} + +forceinline void ROUND(state_t* s, uint32_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_l]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_l], lsr #19\n\t" + "eor %[tmp1], %[x0_h], %[x0_h], lsr #19\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-19)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-19)\n\t" + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-28)\n\t" + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-28)\n\t" + "eor %[x0_l], %[tmp0], %[x0_l], lsr #28\n\t" + "eor %[x0_h], %[tmp1], %[x0_h], lsr #28\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], lsl #(64-61)\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], lsl #(64-61)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(61-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(61-32)\n\t" + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(39-32)\n\t" + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(39-32)\n\t" + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-39)\n\t" + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-39)\n\t" + "eor %[tmp0], %[x2_l], %[x2_l], lsr #1\n\t" + "eor %[tmp1], %[x2_h], %[x2_h], lsr #1\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-1)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-1)\n\t" + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-6)\n\t" + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-6)\n\t" + "eor %[x2_l], %[tmp0], %[x2_l], lsr #6\n\t" + "eor %[x2_h], %[tmp1], %[x2_h], lsr #6\n\t" + "eor %[tmp0], %[x3_l], %[x3_l], lsr #10\n\t" + "eor %[tmp1], %[x3_h], %[x3_h], lsr #10\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-10)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-10)\n\t" + "eor %[tmp0], %[tmp0], %[x3_h], lsl #(32-17)\n\t" + "eor %[tmp1], %[tmp1], %[x3_l], lsl #(32-17)\n\t" + "eor %[x3_l], %[tmp0], %[x3_l], lsr #17\n\t" + "eor %[x3_h], %[tmp1], %[x3_h], lsr #17\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], lsr #7\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], lsr #7\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-7)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-7)\n\t" + "eor %[tmp0], %[tmp0], %[x4_h], lsr #(41-32)\n\t" + "eor %[tmp1], %[tmp1], %[x4_l], lsr #(41-32)\n\t" + "eor %[x4_l], %[tmp0], %[x4_l], lsl #(64-41)\n\t" + "eor %[x4_h], %[tmp1], %[x4_h], lsl #(64-41)\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_l ] "i"(C) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github_com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_l]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_l], lsr #19\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_h], lsr #19\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-19)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-19)\n\t" \ + "eor %[tmp0], %[tmp0], %[x2_h], lsl #(32-28)\n\t" \ + "eor %[tmp1], %[tmp1], %[x2_l], lsl #(32-28)\n\t" \ + "eor %[x2_l], %[tmp0], %[x2_l], lsr #28\n\t" \ + "eor %[x2_h], %[tmp1], %[x2_h], lsr #28\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], lsl #(64-61)\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], lsl #(64-61)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(61-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(61-32)\n\t" \ + "eor %[tmp0], %[tmp0], %[x3_h], lsr #(39-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x3_l], lsr #(39-32)\n\t" \ + "eor %[x3_l], %[tmp0], %[x3_l], lsl #(64-39)\n\t" \ + "eor %[x3_h], %[tmp1], %[x3_h], lsl #(64-39)\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_l], lsr #1\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_h], lsr #1\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-1)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-1)\n\t" \ + "eor %[tmp0], %[tmp0], %[x4_h], lsl #(32-6)\n\t" \ + "eor %[tmp1], %[tmp1], %[x4_l], lsl #(32-6)\n\t" \ + "eor %[x4_l], %[tmp0], %[x4_l], lsr #6\n\t" \ + "eor %[x4_h], %[tmp1], %[x4_h], lsr #6\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_l], lsr #10\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_h], lsr #10\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-10)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-10)\n\t" \ + "eor %[tmp0], %[tmp0], %[x0_h], lsl #(32-17)\n\t" \ + "eor %[tmp1], %[tmp1], %[x0_l], lsl #(32-17)\n\t" \ + "eor %[x0_l], %[tmp0], %[x0_l], lsr #17\n\t" \ + "eor %[x0_h], %[tmp1], %[x0_h], lsr #17\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], lsr #7\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], lsr #7\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsl #(32-7)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsl #(32-7)\n\t" \ + "eor %[tmp0], %[tmp0], %[x1_h], lsr #(41-32)\n\t" \ + "eor %[tmp1], %[tmp1], %[x1_l], lsr #(41-32)\n\t" \ + "eor %[x1_l], %[tmp0], %[x1_l], lsl #(64-41)\n\t" \ + "eor %[x1_h], %[tmp1], %[x1_h], lsl #(64-41)\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_l ] "i"((uint32_t)C) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { ROUND_LOOP(s, START(nr)); } + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/armv7m_small/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/api.h new file mode 100644 index 0000000..3be5441 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.S b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.S new file mode 100644 index 0000000..d23cfb7 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.S @@ -0,0 +1,522 @@ +#include +#include "api.h" + +## REGISTER ALLOCATION +#define t0h a4 +#define t0l a5 +#define x0h a6 +#define x0l a7 +#define x1h a8 +#define x1l a9 +#define x2h a10 +#define x2l a11 +#define x3h a12 +#define x3l a13 +#define x4h a14 +#define x4l a15 +## OVERLAPPING REGISTER ALLOCATION +#define optr x2h +#define iptr x2l +#define ilen x3h +#define mode x3l +#define t1h x4h +#define t1l x4l + +## STACK FRAME LAYOUT +## +-----------+-----------+-----------+------------+-----------+ +## | ASCON128a | ASCON128 | ASCON80PQ | ASCONHASHa | ASCONHASH | +## | RATE 16 | RATE 8 | RATE 8 | RATE 8 | RATE 8 | +## | PA 12 | PA 12 | PA 12 | PA 12 | PA 12 | +## | PB 8 | PB 6 | PB 6 | PB 8 | PB 12 | +## | KEY 16 | KEY 16 | KEY 20 | | | +## +-----------+-----------+-----------+------------+-----------+ +## 0 | bytes | bytes | bytes | bytes | bytes | +## 4 | | | \---- | \---- | \---- | \---- | +## 8 | | | optr | optr | optr | optr | +## 12 | \---- | iptr | iptr | iptr cur | iptr cur | +## 16 | state x2h | state x2h | state x2h | | | +## 20 | | x2l | | x2l | | x2l | state x2l | state x2l | +## 24 | | x3h | | x3h | | x3h | \---- x3h | \---- x3h | +## 28 | | x3l | \---- x3l | \---- x3l | | | +## 32 | | x4h | ilen | ilen | ilen cur | ilen cur | +## 36 | \---- x4l | mode cur | mode cur | olen | olen | +## 40 | key k0h | key k0h | key k1h | | | +## 44 | | k0l | | k0l | | k1l | lr | lr | +## 48 | | k1h | | k1h | | k2h +------------+-----------+ +## 52 | \---- k1l | \---- k1l | | k2l | +## 56 | | | \---- k0h | +## 60 | optr cur | optr cur | optr cur | +## 64 | iptr cur | iptr cur | iptr cur | +## 68 | ilen cur | ilen cur | ilen cur | +## 72 | mode cur | lr2 | lr2 | +## 76 | optr | lr | lr | +## 80 | iptr +-----------+-----------+ +## 84 | ilen | | | +## 88 | lr2 | | | +## 92 | lr +-----------+-----------+ +## 96 +-----------+ kptr arg | kptr arg | +## 100 | | mode arg | mode arg | +## 104 | +-----------+-----------+ +## 108 +-----------+ +## 112 | kptr arg | +## 116 | mode arg | +## 120 +-----------+ + +## ASCON80PQ +#define RATE 8 +#define PA_ROUNDS 12 +#define PA_START_ROUND 0xf0 +#define PB_ROUNDS 6 +#define PB_START_ROUND 0x96 +#define IVh (((8 * CRYPTO_KEYBYTES) << 24) | ((8 * RATE) << 16) | (PA_ROUNDS << 8) | (PB_ROUNDS << 0)) +#define IVl 0 + +#define S_state 16 +#define S_key 40 +#define S_optr_cur 60 +#define S_iptr_cur 64 +#define S_ilen_cur 68 +#define S_mode_cur 36 +#define S_optr 8 +#define S_iptr 12 +#define S_ilen 32 +#define S_lr2 72 +#define S_lr 76 +#define S_kptr_arg 96 +#define S_mode_arg 100 + +.macro sbox x0, x1, x2, x3, x4, r0, t0, t1, t2 + xor \t1, \x0, \x4 + xor \t2, \x3, \x4 + movi \t0, -1 + xor \x4, \x4, \t0 + xor \t0, \x1, \x2 + or \x4, \x4, \x3 + xor \x4, \x4, \t0 + xor \x3, \x3, \x1 + or \x3, \x3, \t0 + xor \x3, \x3, \t1 + xor \x2, \x2, \t1 + or \x2, \x2, \x1 + xor \x2, \x2, \t2 + or \x0, \x0, \t2 + xor \x0, \x0, \t0 + movi \t0, -1 + xor \t1, \t1, \t0 + and \x1, \x1, \t1 + xor \x1, \x1, \t2 + mov \r0, \x0 +.endm + +.macro linear dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0 + ssai \r0 + src \dl, \sh0, \sl0 + src \dh, \sl0, \sh0 + xor \dl, \dl, \sl + xor \dh, \dh, \sh + ssai \r1 + src \t0, \sh1, \sl1 + src \sh, \sl1, \sh1 + xor \dl, \dl, \t0 + xor \dh, \dh, \sh +.endm + +.align 4 +.globl ascon_permute +.type ascon_permute,@function +ascon_permute: + # ascon permutation + # state in a6 .. a9 and sp + 16 .. sp + 36 + # start round in a2 + # temporaries in a3, a4, a5 + l32i x2h, a1, (S_state + 0) + l32i x2l, a1, (S_state + 4) + l32i x3h, a1, (S_state + 8) + l32i x3l, a1, (S_state + 12) +.globl ascon_permute_noload +.type ascon_permute_noload,@function +ascon_permute_noload: + # state in a6 .. a15 + # start round constant in a2 + # round count in a3 + # temporaries in a3, a4, a5 + + # ESP32 zero-overhead looping + floop a3, Ploop +.LPloop: + # round constant + xor x2l, x2l, a2 + + # s-box + sbox x0l, x1l, x2l, x3l, x4l, t0l, t0h, t0l, a3 + sbox x0h, x1h, x2h, x3h, x4h, t0h, t0h, x0l, a3 + + # linear layer + linear x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, a3 + linear x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, a3 + linear x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, a3 + linear x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, a3 + linear x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, a3 + + # condition + addi a2, a2, -15 + + floopend a3, Ploop +.LPend: + s32i x2h, a1, (S_state + 0) + s32i x2l, a1, (S_state + 4) + s32i x3h, a1, (S_state + 8) + s32i x3l, a1, (S_state + 12) + ret + +.align 4 +.globl ascon_rev8 +.type ascon_rev8,@function +ascon_rev8: + # ascon bytereverse one block + # arguments and results in a4, a5, a14, a15 + # temporaries in a2 + ssai 8 + srli a2, t1h, 16 + src a2, a2, t1h + src a2, a2, a2 + src t1h, t1h, a2 + + srli a2, t1l, 16 + src a2, a2, t1l + src a2, a2, a2 + src t1l, t1l, a2 + +.globl ascon_rev8_half +.type ascon_rev8_half,@function +ascon_rev8_half: + ssai 8 + srli a2, t0h, 16 + src a2, a2, t0h + src a2, a2, a2 + src t0h, t0h, a2 + + srli a2, t0l, 16 + src a2, a2, t0l + src a2, a2, a2 + src t0l, t0l, a2 + + ret + +.align 4 +.globl ascon_memcpy +.type ascon_memcpy,@function +ascon_memcpy: + # memcpy that preserves registers used by ascon + # dest in a2 + # src in a3 + # temporaries in a4, a5 + movi a4, 0 + j .LMcond +.LMloop: + l8ui a5, a3, 0 + s8i a5, a2, 0 + addi a2, a2, 1 + addi a3, a3, 1 + addi a4, a4, 1 +.LMcond: + bltu a4, ilen, .LMloop +.LMend: + ret + +.align 4 +.globl ascon_duplex +.type ascon_duplex,@function +ascon_duplex: + s32i a0, a1, S_lr2 + j .LDcond + +.LDloop: + l32i t0h, iptr, 0 + l32i t0l, iptr, 4 + call0 ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDsqueeze: + beqz a13, .LDreset + + # ascon_rev8 + # inlined here to preserve registers + ssai 8 + srli a2, x0h, 16 + src a2, a2, x0h + src a2, a2, a2 + src a2, x0h, a2 + s32i a2, optr, 0 + + srli a2, x0l, 16 + src a2, a2, x0l + src a2, a2, a2 + src a2, x0l, a2 + s32i a2, optr, 4 + +.LDreset: + bgez mode, .LDpermute + mov x0h, t0h + mov x0l, t0l + +.LDpermute: + s32i optr, a1, S_optr_cur + s32i iptr, a1, S_iptr_cur + s32i ilen, a1, S_ilen_cur + movi a2, PB_START_ROUND + movi a3, PB_ROUNDS + call0 ascon_permute + l32i optr, a1, S_optr_cur + l32i iptr, a1, S_iptr_cur + l32i ilen, a1, S_ilen_cur + l32i mode, a1, S_mode_cur + + addi optr, optr, RATE + addi iptr, iptr, RATE + addi ilen, ilen, -RATE + +.LDcond: + bgeui ilen, RATE, .LDloop + +.LDend: + movi a2, 0 + s32i a2, a1, 0 + s32i a2, a1, 4 + + mov a2, a1 + mov a3, iptr + call0 ascon_memcpy + + movi a4, 0x80 + add a2, a1, ilen + l8ui a3, a2, 0 + xor a3, a3, a4 + s8i a3, a2, 0 + + l32i t0h, a1, 0 + l32i t0l, a1, 4 + call0 ascon_rev8_half + xor x0h, x0h, t0h + xor x0l, x0l, t0l + +.LDendsqueeze: + beqz mode, .LDendreset + + mov t0h, x0h + mov t0l, x0l + call0 ascon_rev8_half + s32i t0h, a1, 0 + s32i t0l, a1, 4 + + mov a2, optr + mov a3, a1 + call0 ascon_memcpy + +.LDendreset: + bgez mode, .LDreturn + + mov a2, a1 + mov a3, iptr + call0 ascon_memcpy + + l32i t0h, a1, 0 + l32i t0l, a1, 4 + call0 ascon_rev8_half + mov x0h, t0h + mov x0l, t0l + +.LDreturn: + add optr, optr, ilen + add iptr, iptr, ilen + l32i a0, a1, S_lr2 + ret + +.align 4 +.globl ascon_core +.type ascon_core,@function +ascon_core: + abi_entry 80, 4 + s32i a0, a1, S_lr + s32i a2, a1, S_optr + s32i a3, a1, S_iptr + s32i a4, a1, S_ilen + s32i a5, a1, S_iptr_cur + s32i a6, a1, S_ilen_cur + + # load key + l32i a2, a1, S_kptr_arg + l32i t0h, a2, 0 + ssai 8 + srli t0l, t0h, 16 + src t0l, t0l, t0h + src t0l, t0l, t0l + src t0h, t0h, t0l + s32i t0h, a1, (S_key + 16) + + l32i t0h, a2, 4 + l32i t0l, a2, 8 + l32i t1h, a2, 12 + l32i t1l, a2, 16 + call0 ascon_rev8 + s32i t0h, a1, (S_key + 0) + s32i t0l, a1, (S_key + 4) + s32i t1h, a1, (S_key + 8) + s32i t1l, a1, (S_key + 12) + mov x1h, t0h + mov x1l, t0l + mov x2h, t1h + mov x2l, t1l + + # load nonce + # a7 is not clobbered by ascon_rev8 + # a7 does not overlap x1, x2, t0, or t1 + # x4 overlaps t1, move unnecessary + mov a2, a7 + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + mov x3h, t0h + mov x3l, t0l + + # load IV + movi x0h, IVh + + # load K0.h + # this clobbers a7 + l32i x0l, a1, (S_key + 16) + + movi a2, PA_START_ROUND + movi a3, PA_ROUNDS + call0 ascon_permute_noload + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 16) + xor x2l, x2l, t0h + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x3h, x3h, t0h + xor x3l, x3l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x4h, x4h, t0h + xor x4l, x4l, t0l + + # save state + s32i x2h, a1, (S_state + 0) + s32i x2l, a1, (S_state + 4) + s32i x3h, a1, (S_state + 8) + s32i x3l, a1, (S_state + 12) + + l32i ilen, a1, S_ilen_cur + beqz ilen, .LCskipad + + l32i iptr, a1, S_iptr_cur + movi mode, 0 + s32i mode, a1, S_mode_cur + call0 ascon_duplex + + movi a2, PB_START_ROUND + movi a3, PB_ROUNDS + call0 ascon_permute + +.LCskipad: + movi a2, 1 + xor x4l, x4l, a2 + + l32i optr, a1, S_optr + l32i iptr, a1, S_iptr + l32i ilen, a1, S_ilen + l8ui mode, a1, S_mode_arg + sext mode, mode, 7 + s32i mode, a1, S_mode_cur + call0 ascon_duplex + s32i optr, a1, S_optr_cur + s32i iptr, a1, S_iptr_cur + + # restore state + l32i x2h, a1, (S_state + 0) + l32i x2l, a1, (S_state + 4) + l32i x3h, a1, (S_state + 8) + l32i x3l, a1, (S_state + 12) + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 16) + xor x1h, x1h, t0h + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x1l, x1l, t0h + xor x2h, x2h, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x2l, x2l, t0h + xor x3h, x3h, t0l + + movi a2, PA_START_ROUND + movi a3, PA_ROUNDS + call0 ascon_permute_noload + + # xor key + # x4 overlaps t1, do in two steps + l32i t0h, a1, (S_key + 0) + l32i t0l, a1, (S_key + 4) + xor x3h, x3h, t0h + xor x3l, x3l, t0l + l32i t0h, a1, (S_key + 8) + l32i t0l, a1, (S_key + 12) + xor x4h, x4h, t0h + xor x4l, x4l, t0l + + l32i a2, a1, S_mode_cur + bgez a2, .LCencrypt +.LCdecrypt: + + # save x4 into x0 + # x0 is no longer needed + # x4 overlaps t1 + mov x0h, x4h + mov x0l, x4l + + l32i a2, a1, S_iptr_cur + l32i t0h, a2, 0 + l32i t0l, a2, 4 + l32i t1h, a2, 8 + l32i t1l, a2, 12 + call0 ascon_rev8 + + # check tag + # x4 is in x0 + xor a2, x3h, t0h + xor a3, x3l, t0l + xor a2, a2, a3 + xor a3, x0h, t1h + xor a2, a2, a3 + xor a3, x0l, t1l + xor a2, a2, a3 + + beqz a2, .LCzeroreturn + movi a2, -1 + j .LCreturn +.LCencrypt: + + # store tag + # x4 overlaps t1, move unnecessary + mov t0h, x3h + mov t0l, x3l + call0 ascon_rev8 + l32i a2, a1, S_optr_cur + s32i t0h, a2, 0 + s32i t0l, a2, 4 + s32i t1h, a2, 8 + s32i t1l, a2, 12 + +.LCzeroreturn: + movi a2, 0 +.LCreturn: + l32i a0, a1, S_lr + abi_return diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.h new file mode 100644 index 0000000..74e5220 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/ascon.h @@ -0,0 +1,6 @@ +#include "api.h" + +int ascon_core(unsigned char* outptr, const unsigned char* inptr, + unsigned int inlen, const unsigned char* adptr, + unsigned int adlen, const unsigned char* nptr, + const unsigned char* kptr, unsigned char mode); diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/decrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/decrypt.c new file mode 100644 index 0000000..0b0211d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/decrypt.c @@ -0,0 +1,17 @@ +#include "ascon.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + *mlen = clen - CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(m, c, *mlen, ad, adlen, npub, k, -1); +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/encrypt.c new file mode 100644 index 0000000..b8dda4c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/encrypt.c @@ -0,0 +1,12 @@ +#include "ascon.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + *clen = mlen + CRYPTO_ABYTES; + (void)nsec; + + return ascon_core(c, m, mlen, ad, adlen, npub, k, 1); +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/implementors new file mode 100644 index 0000000..1b9a187 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/asm_esp32/implementors @@ -0,0 +1 @@ +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/config.h index 9568d5b..5d155e0 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/config.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 1 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.h index 7dfa822..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/interleave.h @@ -3,47 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -forceinline uint32_t deinterleave_uint32(uint32_t x) { +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); return x; } -forceinline uint32_t interleave_uint32(uint32_t x) { +forceinline uint32_t interleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); return x; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); uint32_t hi = in >> 32; uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); } #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/round.h index cd8ec34..772d7f2 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/round.h @@ -4,49 +4,43 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint64_t C) { state_t t; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - t.x0 = XOR(s->x0, AND(NOT(s->x1), s->x2)); - t.x2 = XOR(s->x2, AND(NOT(s->x3), s->x4)); - t.x4 = XOR(s->x4, AND(NOT(s->x0), s->x1)); - t.x1 = XOR(s->x1, AND(NOT(s->x2), s->x3)); - t.x3 = XOR(s->x3, AND(NOT(s->x4), s->x0)); - t.x1 = XOR(t.x1, t.x0); - t.x3 = XOR(t.x3, t.x2); - t.x0 = XOR(t.x0, t.x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; /* linear layer */ - s->x2 = XOR(t.x2, ROR(t.x2, 6 - 1)); - s->x3 = XOR(t.x3, ROR(t.x3, 17 - 10)); - s->x4 = XOR(t.x4, ROR(t.x4, 41 - 7)); - s->x0 = XOR(t.x0, ROR(t.x0, 28 - 19)); - s->x1 = XOR(t.x1, ROR(t.x1, 61 - 39)); - s->x2 = XOR(t.x2, ROR(s->x2, 1)); - s->x3 = XOR(t.x3, ROR(s->x3, 10)); - s->x4 = XOR(t.x4, ROR(s->x4, 7)); - s->x0 = XOR(t.x0, ROR(s->x0, 19)); - s->x1 = XOR(t.x1, ROR(s->x1, 39)); - s->x2 = NOT(s->x2); + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/config.h new file mode 100644 index 0000000..5d155e0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/round.h new file mode 100644 index 0000000..a52ca55 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/round.h @@ -0,0 +1,229 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "mvn %[tmp0], %[x0_l]\n\t" + "orr %[tmp0], %[x4_l], %[tmp0]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_l]\n\t" + "orr %[tmp1], %[x3_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "mvn %[tmp0], %[x0_h]\n\t" + "orr %[tmp0], %[x4_h], %[tmp0]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "mvn %[tmp1], %[x4_h]\n\t" + "orr %[tmp1], %[x3_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "mvn %[x4_l], %[x4_l]\n\t" \ + "orr %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "mvn %[x4_h], %[x4_h]\n\t" \ + "orr %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/config.h new file mode 100644 index 0000000..c6afcc6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/round.h new file mode 100644 index 0000000..76679e7 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/round.h @@ -0,0 +1,325 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "rbegin_%=:;\n\t" + "ldrb %[tmp2], [%[tmp1], #0]\n\t" + "push {%[tmp0]}\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" + "ldrb %[tmp2], [%[tmp1], #1]\n\t" + "add %[tmp1], %[tmp1], #2\n\t" + "movs %[tmp0], %[x2_h]\n\t" + "push {%[tmp1]}\n\t" + "eor %[tmp0], %[tmp0], %[tmp2]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "pop {%[tmp1]}\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "pop {%[tmp0]}\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + "cmp %[tmp1], %[tmp0]\n\t" + "beq rend_%=\n\t" + "b rbegin_%=\n\t" + "rend_%=:;\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ tmp1 ] "+l"(C), + [ tmp0 ] "+l"(E), [ tmp2 ] "=l"(tmp1) + : + :); + printstate(" round output", s); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1, tmp2; + __asm__ __volatile__( + "@.syntax_unified\n\t" + "movs %[tmp1], %[C_e]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "movs %[tmp0], %[x0_l]\n\t" + "bic %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[tmp1], %[x2_l]\n\t" + "bic %[tmp1], %[tmp1], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "movs %[tmp1], %[x4_l]\n\t" + "bic %[tmp1], %[tmp1], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[tmp2], %[x1_l]\n\t" + "bic %[tmp2], %[tmp2], %[x0_l]\n\t" + "eor %[tmp2], %[x4_l], %[tmp2]\n\t" + "movs %[tmp1], %[x3_l]\n\t" + "bic %[tmp1], %[tmp1], %[x2_l]\n\t" + "eor %[tmp1], %[x1_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp2]\n\t" + "movs %[x4_l], %[x4_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x3_l], %[x3_h]\n\t" + "movs %[x3_h], %[tmp0]\n\t" + "movs %[x1_h], %[tmp1]\n\t" + "movs %[tmp0], %[x0_h]\n\t" + "movs %[tmp1], %[x2_h]\n\t" + "movs %[x0_h], %[x0_l]\n\t" + "movs %[x2_h], %[x2_l]\n\t" + "movs %[x0_l], %[C_o]\n\t" + "eor %[tmp1], %[tmp1], %[x0_l]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x1_l]\n\t" + "movs %[x0_l], %[tmp0] \n\t" + "bic %[x0_l], %[x0_l], %[x4_l]\n\t" + "movs %[x2_l], %[tmp1] \n\t" + "bic %[x2_l], %[x2_l], %[x1_l]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[x2_l], %[x4_l] \n\t" + "bic %[x2_l], %[x2_l], %[x3_l]\n\t" + "eor %[tmp1], %[tmp1], %[x2_l]\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "bic %[x2_l], %[x2_l], %[tmp0]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x3_l] \n\t" + "bic %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x2_l]\n\t" + "eor %[x3_l], %[x3_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[tmp0]\n\t" + "eor %[tmp0], %[tmp0], %[x4_l]\n\t" + "movs %[x4_h], %[tmp1]\n\t" + "movs %[x2_l], %[x3_h]\n\t" + "movs %[x3_h], %[x1_l]\n\t" + "movs %[tmp1], #17\n\t" + "movs %[x0_l], %[tmp2]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[tmp2], %[x0_l]\n\t" + "movs %[x1_l], %[x4_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x4_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[tmp2], %[tmp2], %[x1_l]\n\t" + "movs %[tmp1], #4\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x0_l]\n\t" + "movs %[x1_l], %[x2_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x1_l], %[x3_l], %[x1_l]\n\t" + "movs %[tmp1], #3\n\t" + "movs %[x0_l], %[x3_l]\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x0_l], %[x2_l], %[x0_l]\n\t" + "movs %[tmp1], #5\n\t" + "ror %[x0_l], %[x0_l], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[x0_l]\n\t" + "ror %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" + "movs %[x0_l], %[x0_h]\n\t" + "movs %[x1_l], %[x1_h]\n\t" + "movs %[x1_h], %[x2_l]\n\t" + "movs %[x0_h], %[tmp2]\n\t" + "movs %[tmp2], %[x4_h]\n\t" + "movs %[x4_h], %[x4_l]\n\t" + "movs %[x4_l], %[x3_h]\n\t" + "movs %[x3_h], %[x3_l]\n\t" + "movs %[x3_l], %[x0_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[tmp0], %[x3_l]\n\t" + "movs %[tmp1], #4\n\t" + "movs %[x2_l], %[tmp0]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x0_l], %[x2_l]\n\t" + "movs %[tmp1], #9\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x0_l], %[x0_l], %[x3_l]\n\t" + "movs %[tmp1], #10\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[tmp0], %[x2_l]\n\t" + "movs %[tmp1], #11\n\t" + "movs %[x2_l], %[x1_l]\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x2_l], %[x1_l], %[x2_l]\n\t" + "movs %[x3_l], %[x4_l]\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x3_l], %[x4_l], %[x3_l]\n\t" + "movs %[tmp1], #19\n\t" + "ror %[x3_l], %[x3_l], %[tmp1]\n\t" + "eor %[x1_l], %[x1_l], %[x3_l]\n\t" + "movs %[tmp1], #20\n\t" + "ror %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[x4_l], %[x4_l], %[x2_l]\n\t" + "movs %[x2_l], %[x2_h]\n\t" + "movs %[x3_l], %[x1_h]\n\t" + "movs %[x1_h], %[x4_l]\n\t" + "movs %[x2_h], %[tmp0]\n\t" + "movs %[x4_l], #2\n\t" + "mvn %[tmp0], %[tmp2]\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp0], %[x2_l], %[tmp0]\n\t" + "movs %[x4_l], #3\n\t" + "mvn %[tmp1], %[x2_l]\n\t" + "ror %[tmp1], %[tmp1], %[x4_l]\n\t" + "eor %[tmp1], %[tmp2], %[tmp1]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "movs %[x4_l], #1\n\t" + "ror %[tmp0], %[tmp0], %[x4_l]\n\t" + "eor %[tmp2], %[tmp2], %[tmp0]\n\t" + "movs %[x4_l], %[x0_h]\n\t" + "movs %[x0_h], %[x2_h]\n\t" + "movs %[x2_h], %[tmp2]\n\t" + : [ x0_l ] "+l"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+l"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+l"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+l"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+l"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=l"(tmp0), [ tmp1 ] "=l"(tmp1), [ tmp2 ] "=l"(tmp2) + : [ C_e ] "ri"((uint32_t)C), [ C_o ] "ri"((uint32_t)(C >> 32)) + :); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv6m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/config.h new file mode 100644 index 0000000..3070584 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/architectures b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/architectures new file mode 100644 index 0000000..a07c7a4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/architectures @@ -0,0 +1,3 @@ +aarch64 +armeabi +arm diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/config.h new file mode 100644 index 0000000..525682c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/config.h @@ -0,0 +1,29 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.h new file mode 100644 index 0000000..e5d6703 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/interleave.h @@ -0,0 +1,67 @@ +#ifndef INTERLEAVE_H_ +#define INTERLEAVE_H_ + +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" + +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} + +#endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.h new file mode 100644 index 0000000..5c9c4e2 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/permutations.h @@ -0,0 +1,123 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +#define LOADSTATE(s, a, b, c, d, e) \ + do { \ + a.x = s->x[0]; \ + b.x = s->x[1]; \ + c.x = s->x[2]; \ + d.x = s->x[3]; \ + e.x = s->x[4]; \ + } while (0) + +#define STORESTATE(s, a, b, c, d, e) \ + do { \ + s->x[0] = a.x; \ + s->x[1] = b.x; \ + s->x[2] = c.x; \ + s->x[3] = d.x; \ + s->x[4] = e.x; \ + } while (0) + +forceinline void P12ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC0); + ROUND5(x2, x3, x4, x0, x1, RC1); + ROUND5(x4, x0, x1, x2, x3, RC2); + ROUND5(x1, x2, x3, x4, x0, RC3); + ROUND5(x3, x4, x0, x1, x2, RC4); + ROUND5(x0, x1, x2, x3, x4, RC5); + ROUND5(x2, x3, x4, x0, x1, RC6); + ROUND5(x4, x0, x1, x2, x3, RC7); + ROUND5(x1, x2, x3, x4, x0, RC8); + ROUND5(x3, x4, x0, x1, x2, RC9); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCa); + ROUND5(x2, x3, x4, x0, x1, RCb); + STORESTATE(s, x4, x0, x1, x2, x3); +#else + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P8ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC4); + ROUND5(x2, x3, x4, x0, x1, RC5); + ROUND5(x4, x0, x1, x2, x3, RC6); + ROUND5(x1, x2, x3, x4, x0, RC7); + ROUND5(x3, x4, x0, x1, x2, RC8); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RC9); + ROUND5(x2, x3, x4, x0, x1, RCa); + ROUND5(x4, x0, x1, x2, x3, RCb); + STORESTATE(s, x1, x2, x3, x4, x0); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +#endif +} + +forceinline void P6ROUNDS(state_t* s) { + word_t x0, x1, x2, x3, x4; + LOADSTATE(s, x0, x1, x2, x3, x4); + ROUND5(x0, x1, x2, x3, x4, RC6); + ROUND5(x2, x3, x4, x0, x1, RC7); + ROUND5(x4, x0, x1, x2, x3, RC8); + ROUND5(x1, x2, x3, x4, x0, RC9); + ROUND5(x3, x4, x0, x1, x2, RCa); +#if !ASCON_INLINE_PERM + ROUND5(x0, x1, x2, x3, x4, RCb); + STORESTATE(s, x2, x3, x4, x0, x1); +#else /* ASCON_INLINE_PERM */ + STORESTATE(s, x0, x1, x2, x3, x4); + ROUND(s, RCb); +#endif +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.c new file mode 100644 index 0000000..8aa5862 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.c @@ -0,0 +1,40 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/round.h new file mode 100644 index 0000000..3f3691b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/round.h @@ -0,0 +1,219 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND_LOOP(state_t* s, const uint8_t* C, const uint8_t* E) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "rbegin_%=:;\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "ldrb %[tmp1], [%[C]], #1\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + "cmp %[C], %[E]\n\t" + "bne rbegin_%=\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), [ C ] "+r"(C), + [ E ] "+r"(E), [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : + : "cc"); +} + +forceinline void ROUND(state_t* s, uint64_t C) { + uint32_t tmp0, tmp1; + __asm__ __volatile__( + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x4_l], %[x4_l], %[x3_l]\n\t" + "eor %[x2_l], %[x2_l], %[x1_l]\n\t" + "orn %[tmp0], %[x4_l], %[x0_l]\n\t" + "eor %[x2_l], %[x2_l], %[C_e]\n\t" + "bic %[tmp1], %[x2_l], %[x1_l]\n\t" + "eor %[x0_l], %[x0_l], %[tmp1]\n\t" + "orn %[tmp1], %[x3_l], %[x4_l]\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "bic %[tmp1], %[x1_l], %[x0_l]\n\t" + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" + "and %[tmp1], %[x3_l], %[x2_l]\n\t" + "eor %[x1_l], %[x1_l], %[tmp1]\n\t" + "eor %[x3_l], %[x3_l], %[tmp0]\n\t" + "eor %[x1_l], %[x1_l], %[x0_l]\n\t" + "eor %[x3_l], %[x3_l], %[x2_l]\n\t" + "eor %[x0_l], %[x0_l], %[x4_l]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[x4_h], %[x4_h], %[x3_h]\n\t" + "eor %[x2_h], %[x2_h], %[C_o]\n\t" + "eor %[x2_h], %[x2_h], %[x1_h]\n\t" + "orn %[tmp0], %[x4_h], %[x0_h]\n\t" + "bic %[tmp1], %[x2_h], %[x1_h]\n\t" + "eor %[x0_h], %[x0_h], %[tmp1]\n\t" + "orn %[tmp1], %[x3_h], %[x4_h]\n\t" + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" + "bic %[tmp1], %[x1_h], %[x0_h]\n\t" + "eor %[x4_h], %[x4_h], %[tmp1]\n\t" + "and %[tmp1], %[x3_h], %[x2_h]\n\t" + "eor %[x1_h], %[x1_h], %[tmp1]\n\t" + "eor %[x3_h], %[x3_h], %[tmp0]\n\t" + "eor %[x1_h], %[x1_h], %[x0_h]\n\t" + "eor %[x3_h], %[x3_h], %[x2_h]\n\t" + "eor %[x0_h], %[x0_h], %[x4_h]\n\t" + "eor %[tmp0], %[x0_l], %[x0_h], ror #4\n\t" + "eor %[tmp1], %[x0_h], %[x0_l], ror #5\n\t" + "eor %[x0_h], %[x0_h], %[tmp0], ror #10\n\t" + "eor %[x0_l], %[x0_l], %[tmp1], ror #9\n\t" + "eor %[tmp0], %[x1_l], %[x1_l], ror #11\n\t" + "eor %[tmp1], %[x1_h], %[x1_h], ror #11\n\t" + "eor %[x1_h], %[x1_h], %[tmp0], ror #20\n\t" + "eor %[x1_l], %[x1_l], %[tmp1], ror #19\n\t" + "eor %[tmp0], %[x2_l], %[x2_h], ror #2\n\t" + "eor %[tmp1], %[x2_h], %[x2_l], ror #3\n\t" + "eor %[x2_h], %[x2_h], %[tmp0], ror #1\n\t" + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" + "eor %[tmp0], %[x3_l], %[x3_h], ror #3\n\t" + "eor %[tmp1], %[x3_h], %[x3_l], ror #4\n\t" + "eor %[x3_l], %[x3_l], %[tmp0], ror #5\n\t" + "eor %[x3_h], %[x3_h], %[tmp1], ror #5\n\t" + "eor %[tmp0], %[x4_l], %[x4_l], ror #17\n\t" + "eor %[tmp1], %[x4_h], %[x4_h], ror #17\n\t" + "eor %[x4_h], %[x4_h], %[tmp0], ror #4\n\t" + "eor %[x4_l], %[x4_l], %[tmp1], ror #3\n\t" + : [ x0_l ] "+r"(s->w[0][0]), [ x0_h ] "+r"(s->w[0][1]), + [ x1_l ] "+r"(s->w[1][0]), [ x1_h ] "+r"(s->w[1][1]), + [ x2_l ] "+r"(s->w[2][0]), [ x2_h ] "+r"(s->w[2][1]), + [ x3_l ] "+r"(s->w[3][0]), [ x3_h ] "+r"(s->w[3][1]), + [ x4_l ] "+r"(s->w[4][0]), [ x4_h ] "+r"(s->w[4][1]), + [ tmp0 ] "=r"(tmp0), [ tmp1 ] "=r"(tmp1) + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) + :); +} + +#define ROUND5(x0, x1, x2, x3, x4, C) \ + do { \ + uint32_t tmp0, tmp1, tmp2; \ + /* Based on the round description of Ascon given in the Bachelor's */ \ + /* thesis: "Optimizing Ascon on RISC-V" of Lars Jellema */ \ + /* see https://github.com/Lucus16/ascon-riscv/ */ \ + __asm__ __volatile__( \ + "eor %[x2_l], %[x2_l], %[C_e]\n\t" \ + "eor %[tmp0], %[x1_l], %[x2_l]\n\t" \ + "eor %[tmp1], %[x0_l], %[x4_l]\n\t" \ + "eor %[tmp2], %[x3_l], %[x4_l]\n\t" \ + "orn %[x4_l], %[x3_l], %[x4_l]\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[x1_l]\n\t" \ + "orr %[x3_l], %[x3_l], %[tmp0]\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1]\n\t" \ + "orr %[x2_l], %[x2_l], %[x1_l]\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp2]\n\t" \ + "bic %[x1_l], %[x1_l], %[tmp1]\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp2]\n\t" \ + "orr %[x0_l], %[x0_l], %[tmp2]\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0]\n\t" \ + "eor %[x2_h], %[x2_h], %[C_o]\n\t" \ + "eor %[tmp0], %[x1_h], %[x2_h]\n\t" \ + "eor %[tmp1], %[x0_h], %[x4_h]\n\t" \ + "eor %[tmp2], %[x3_h], %[x4_h]\n\t" \ + "orn %[x4_h], %[x3_h], %[x4_h]\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[x1_h]\n\t" \ + "orr %[x3_h], %[x3_h], %[tmp0]\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp1]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp1]\n\t" \ + "orr %[x2_h], %[x2_h], %[x1_h]\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp2]\n\t" \ + "bic %[x1_h], %[x1_h], %[tmp1]\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp2]\n\t" \ + "orr %[x0_h], %[x0_h], %[tmp2]\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp0]\n\t" \ + "eor %[tmp0], %[x2_l], %[x2_h], ror #4\n\t" \ + "eor %[tmp1], %[x2_h], %[x2_l], ror #5\n\t" \ + "eor %[x2_h], %[x2_h], %[tmp0], ror #10\n\t" \ + "eor %[x2_l], %[x2_l], %[tmp1], ror #9\n\t" \ + "eor %[tmp0], %[x3_l], %[x3_l], ror #11\n\t" \ + "eor %[tmp1], %[x3_h], %[x3_h], ror #11\n\t" \ + "eor %[x3_h], %[x3_h], %[tmp0], ror #20\n\t" \ + "eor %[x3_l], %[x3_l], %[tmp1], ror #19\n\t" \ + "eor %[tmp0], %[x4_l], %[x4_h], ror #2\n\t" \ + "eor %[tmp1], %[x4_h], %[x4_l], ror #3\n\t" \ + "eor %[x4_h], %[x4_h], %[tmp0], ror #1\n\t" \ + "eor %[x4_l], %[x4_l], %[tmp1]\n\t" \ + "eor %[tmp0], %[x0_l], %[x0_h], ror #3\n\t" \ + "eor %[tmp1], %[x0_h], %[x0_l], ror #4\n\t" \ + "eor %[x0_l], %[x0_l], %[tmp0], ror #5\n\t" \ + "eor %[x0_h], %[x0_h], %[tmp1], ror #5\n\t" \ + "eor %[tmp0], %[x1_l], %[x1_l], ror #17\n\t" \ + "eor %[tmp1], %[x1_h], %[x1_h], ror #17\n\t" \ + "eor %[x1_h], %[x1_h], %[tmp0], ror #4\n\t" \ + "eor %[x1_l], %[x1_l], %[tmp1], ror #3\n\t" \ + : [ x0_l ] "+r"(x0.w[0]), [ x0_h ] "+r"(x0.w[1]), \ + [ x1_l ] "+r"(x1.w[0]), [ x1_h ] "+r"(x1.w[1]), \ + [ x2_l ] "+r"(x2.w[0]), [ x2_h ] "+r"(x2.w[1]), \ + [ x3_l ] "+r"(x3.w[0]), [ x3_h ] "+r"(x3.w[1]), \ + [ x4_l ] "+r"(x4.w[0]), [ x4_h ] "+r"(x4.w[1]), [ tmp0 ] "=r"(tmp0), \ + [ tmp1 ] "=r"(tmp1), [ tmp2 ] "=r"(tmp2) \ + : [ C_e ] "i"((uint32_t)C), [ C_o ] "i"((uint32_t)(C >> 32)) \ + :); \ + } while (0) + +forceinline void PROUNDS(state_t* s, int nr) { + ROUND_LOOP(s, constants + START(nr), constants + 24); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/word.h new file mode 100644 index 0000000..d685b5e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_armv7m_small/word.h @@ -0,0 +1,116 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "config.h" +#include "endian.h" +#include "forceinline.h" +#include "interleave.h" + +#if ASCON_EXTERN_BI + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +#else + +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) + +#endif + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); +} + +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; +} + +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); +} + +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); +} + +#endif + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/config.h index ca30428..d9e51c1 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/config.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 1 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.c new file mode 100644 index 0000000..effd40b --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.c @@ -0,0 +1,15 @@ +#include "interleave.h" + +#if !ASCON_EXTERN_BI + +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; + +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.h index 7dfa822..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/interleave.h @@ -3,47 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -forceinline uint32_t deinterleave_uint32(uint32_t x) { +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); return x; } -forceinline uint32_t interleave_uint32(uint32_t x) { +forceinline uint32_t interleave16(uint32_t x) { uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); return x; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); uint32_t hi = in >> 32; uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; } /* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ forceinline uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); } #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowreg/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/ascon.h index 471e4a5..70a4dee 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/ascon.h @@ -5,10 +5,20 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + #define ASCON_ABSORB 0x1 #define ASCON_SQUEEZE 0x2 #define ASCON_INSERT 0x4 @@ -19,8 +29,8 @@ typedef struct { void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode); -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, const uint8_t* ad, uint64_t adlen, const uint8_t* npub, const uint8_t* k, uint8_t mode); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/config.h index a4f5879..525682c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/config.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 0 +#define ASCON_INLINE_MODE 1 #endif /* inline all permutations */ @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.c new file mode 100644 index 0000000..4d93b8e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.c @@ -0,0 +1,9 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint8_t constants[] = {0xc, 0xc, 0x9, 0xc, 0xc, 0x9, 0x9, 0x9, + 0x6, 0xc, 0x3, 0xc, 0x6, 0x9, 0x3, 0x9, + 0xc, 0x6, 0x9, 0x6, 0xc, 0x3, 0x9, 0x3}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.h new file mode 100644 index 0000000..d353d10 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/constants.h @@ -0,0 +1,89 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8021000008220000ull +#define ASCON_128A_IV 0x8822000000200000ull +#define ASCON_80PQ_IV 0xc021000008220000ull + +#define ASCON_HASH_IV 0x0020000008200010ull +#define ASCON_HASHA_IV 0x0020000008220010ull +#define ASCON_XOF_IV 0x0020000008200000ull +#define ASCON_XOFA_IV 0x0020000008220000ull + +#define ASCON_PRF_IV 0x88a0000000200000ull +#define ASCON_MAC_IV 0x88a0000800200000ull +#define ASCON_PRFS_IV 0x8028000000a00000ull + +#define ASCON_HASH_IV0 0xf9afb5c6a540dbc7ull +#define ASCON_HASH_IV1 0xbd2493011445a340ull +#define ASCON_HASH_IV2 0xcb9ba8b5604d4fc8ull +#define ASCON_HASH_IV3 0x12a4eede94514c98ull +#define ASCON_HASH_IV4 0x4bca84c06339f398ull + +#define ASCON_HASHA_IV0 0x0108e46d1b16eb02ull +#define ASCON_HASHA_IV1 0x5b9b8efdd29083f3ull +#define ASCON_HASHA_IV2 0x7ad665622891ae4aull +#define ASCON_HASHA_IV3 0x9dc27156ee3bfc7full +#define ASCON_HASHA_IV4 0xc61d5fa916801633ull + +#define ASCON_XOF_IV0 0xc75782817e351ae6ull +#define ASCON_XOF_IV1 0x70045f441d238220ull +#define ASCON_XOF_IV2 0x5dd5ab52a13e3f04ull +#define ASCON_XOF_IV3 0x3e378142c30c1db2ull +#define ASCON_XOF_IV4 0x3735189db624d656ull + +#define ASCON_XOFA_IV0 0x0846d7a5a4b87d44ull +#define ASCON_XOFA_IV1 0xaa6f1005b3a2dbf4ull +#define ASCON_XOFA_IV2 0xdc451146f713e811ull +#define ASCON_XOFA_IV3 0x468cb2532839e30dull +#define ASCON_XOFA_IV4 0xeb2d429709e96977ull + +#define RC0 0x0000000c0000000cull +#define RC1 0x0000000c00000009ull +#define RC2 0x000000090000000cull +#define RC3 0x0000000900000009ull +#define RC4 0x0000000c00000006ull +#define RC5 0x0000000c00000003ull +#define RC6 0x0000000900000006ull +#define RC7 0x0000000900000003ull +#define RC8 0x000000060000000cull +#define RC9 0x0000000600000009ull +#define RCa 0x000000030000000cull +#define RCb 0x0000000300000009ull + +#define RC(i) ((uint64_t)constants[i + 1] << 32 | constants[i]) + +#define START(n) (24 - 2 * (n)) +#define INC 2 +#define END 24 + +extern const uint8_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/encrypt.c index 4a5b335..c6100f6 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/encrypt.c @@ -1,26 +1,95 @@ #include "api.h" #include "ascon.h" -#include "crypto_aead.h" #include "permutations.h" #include "printstate.h" -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, - const uint8_t* ad, uint64_t adlen, const uint8_t* npub, - const uint8_t* k, uint8_t mode); +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ state_t s; - (void)nsec; - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; - /* ascon encryption */ - ascon_aead(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); - /* set tag */ - STOREBYTES(c + mlen, s.x3, 8); - STOREBYTES(c + mlen + 8, s.x4, 8); - return 0; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.c index 321d0ce..effd40b 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.c @@ -1,42 +1,15 @@ #include "interleave.h" -static inline uint32_t deinterleave_uint32(uint32_t x) { - uint32_t t; - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - return x; -} +#if !ASCON_EXTERN_BI -static inline uint32_t interleave_uint32(uint32_t x) { - uint32_t t; - t = (x ^ (x >> 8)) & 0x0000FF00, x ^= t ^ (t << 8); - t = (x ^ (x >> 4)) & 0x00F000F0, x ^= t ^ (t << 4); - t = (x ^ (x >> 2)) & 0x0C0C0C0C, x ^= t ^ (t << 2); - t = (x ^ (x >> 1)) & 0x22222222, x ^= t ^ (t << 1); - return x; -} +const uint32_t B[3] = {0x22222222, 0x0c0c0c0c, 0x00f000f0}; -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t deinterleave32(uint64_t in) { - uint32_t hi = in >> 32; - uint32_t lo = in; - uint32_t r0, r1; - lo = deinterleave_uint32(lo); - hi = deinterleave_uint32(hi); - r0 = (lo & 0x0000FFFF) | (hi << 16); - r1 = (lo >> 16) | (hi & 0xFFFF0000); - return (uint64_t)r1 << 32 | r0; -} +#if !ASCON_INLINE_BI -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t interleave32(uint64_t in) { - uint32_t r0 = in; - uint32_t r1 = in >> 32; - uint32_t lo = (r0 & 0x0000FFFF) | (r1 << 16); - uint32_t hi = (r0 >> 16) | (r1 & 0xFFFF0000); - lo = interleave_uint32(lo); - hi = interleave_uint32(hi); - return (uint64_t)hi << 32 | lo; -} +uint64_t TOBI(uint64_t in) { return deinterleave32(in); } + +uint64_t FROMBI(uint64_t in) { return interleave32(in); } + +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.h index ab87afc..e5d6703 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/interleave.h @@ -3,9 +3,65 @@ #include +#include "config.h" +#include "endian.h" #include "forceinline.h" -uint64_t deinterleave32(uint64_t in); -uint64_t interleave32(uint64_t in); +#if ASCON_INLINE_BI + +#define TOBI deinterleave32 +#define FROMBI interleave32 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +extern const uint32_t B[3]; + +forceinline uint32_t deinterleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + return x; +} + +forceinline uint32_t interleave16(uint32_t x) { + uint32_t t; + t = (x ^ (x >> 8)) & 0xff00, x ^= t ^ (t << 8); + t = (x ^ (x >> 4)) & B[2], x ^= t ^ (t << 4); + t = (x ^ (x >> 2)) & B[1], x ^= t ^ (t << 2); + t = (x ^ (x >> 1)) & B[0], x ^= t ^ (t << 1); + return x; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t deinterleave32(uint64_t in) { + in = U64BIG(in); + uint32_t hi = in >> 32; + uint32_t lo = in; + uint32_t t0, t1, e, o; + t0 = deinterleave16(lo); + t1 = deinterleave16(hi); + e = (t1 << 16) | (t0 & 0x0000FFFF); + o = (t1 & 0xFFFF0000) | (t0 >> 16); + return (uint64_t)o << 32 | e; +} + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave32(uint64_t in) { + uint32_t e = in; + uint32_t o = in >> 32; + uint32_t t0, t1, lo, hi; + t0 = (o << 16) | (e & 0x0000FFFF); + t1 = (o & 0xFFFF0000) | (e >> 16); + lo = interleave16(t0); + hi = interleave16(t1); + return U64BIG((uint64_t)hi << 32 | lo); +} #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.c index 8e9b3c1..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.c @@ -1,17 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint8_t constants[][2] = {{0xc, 0xc}, {0x9, 0xc}, {0xc, 0x9}, {0x9, 0x9}, - {0x6, 0xc}, {0x3, 0xc}, {0x6, 0x9}, {0x3, 0x9}, - {0xc, 0x6}, {0x9, 0x6}, {0xc, 0x3}, {0x9, 0x3}}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.h index 336d7bb..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/permutations.h @@ -6,104 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8021000008220000ull) -#define ASCON_128A_IV WORD_T(0x8822000000200000ull) -#define ASCON_80PQ_IV WORD_T(0xc021000008220000ull) -#define ASCON_HASH_IV WORD_T(0x0020000008020010ull) -#define ASCON_XOF_IV WORD_T(0x0020000008020000ull) - -#define ASCON_HASH_IV0 WORD_T(0xf9afb5c6a540dbc7ull) -#define ASCON_HASH_IV1 WORD_T(0xbd2493011445a340ull) -#define ASCON_HASH_IV2 WORD_T(0xcb9ba8b5604d4fc8ull) -#define ASCON_HASH_IV3 WORD_T(0x12a4eede94514c98ull) -#define ASCON_HASH_IV4 WORD_T(0x4bca84c06339f398ull) - -#define ASCON_HASHA_IV0 WORD_T(0x0108e46d1b16eb02ull) -#define ASCON_HASHA_IV1 WORD_T(0x5b9b8efdd29083f3ull) -#define ASCON_HASHA_IV2 WORD_T(0x7ad665622891ae4aull) -#define ASCON_HASHA_IV3 WORD_T(0x9dc27156ee3bfc7full) -#define ASCON_HASHA_IV4 WORD_T(0xc61d5fa916801633ull) - -#define ASCON_XOF_IV0 WORD_T(0xc75782817e351ae6ull) -#define ASCON_XOF_IV1 WORD_T(0x70045f441d238220ull) -#define ASCON_XOF_IV2 WORD_T(0x5dd5ab52a13e3f04ull) -#define ASCON_XOF_IV3 WORD_T(0x3e378142c30c1db2ull) -#define ASCON_XOF_IV4 WORD_T(0x3735189db624d656ull) - -#define ASCON_XOFA_IV0 WORD_T(0x0846d7a5a4b87d44ull) -#define ASCON_XOFA_IV1 WORD_T(0xaa6f1005b3a2dbf4ull) -#define ASCON_XOFA_IV2 WORD_T(0xdc451146f713e811ull) -#define ASCON_XOFA_IV3 WORD_T(0x468cb2532839e30dull) -#define ASCON_XOFA_IV4 WORD_T(0xeb2d429709e96977ull) - -#define START(n) (12 - n) -#define RC(e, o) WORD_T((uint64_t)o << 32 | e) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xc, 0xc)); - ROUND(s, RC(0x9, 0xc)); - ROUND(s, RC(0xc, 0x9)); - ROUND(s, RC(0x9, 0x9)); - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0xc)); - ROUND(s, RC(0x3, 0xc)); - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x6, 0x9)); - ROUND(s, RC(0x3, 0x9)); - ROUND(s, RC(0xc, 0x6)); - ROUND(s, RC(0x9, 0x6)); - ROUND(s, RC(0xc, 0x3)); - ROUND(s, RC(0x9, 0x3)); -} - -extern const uint8_t constants[][2]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) - ROUND(s, RC(constants[i][0], constants[i][1])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.c index 6cb5f4d..8aa5862 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%08x_%08x", s->w[0][1], s->w[0][0]); + printf(" x1=%08x_%08x", s->w[1][1], s->w[1][0]); + printf(" x2=%08x_%08x", s->w[2][1], s->w[2][0]); + printf(" x3=%08x_%08x", s->w[3][1], s->w[3][0]); + printf(" x4=%08x_%08x", s->w[4][1], s->w[4][0]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/update.c index 7a4baa8..b81b24e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/update.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/update.c @@ -3,30 +3,75 @@ #include "permutations.h" #include "printstate.h" +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode) { - const int rate = 8; - const int nr = 6; - word_t tmp0; - int n = 0; - while (len) { - /* determine block size */ - n = len < rate ? len : rate; +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { /* absorb data */ - tmp0 = LOAD(in, n); - s->x0 = XOR(s->x0, tmp0); +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } /* extract data */ - if (mode & ASCON_SQUEEZE) STORE(out, s->x0, n); + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } /* insert data */ if (mode & ASCON_INSERT) { - s->x0 = CLEAR(s->x0, n); - s->x0 = XOR(s->x0, tmp0); + s->x[i] = tmp; + printstate("insert ciphertext", s); } /* compute permutation for full blocks */ - if (n == rate) P(s, nr); - in += n; - out += n; - len -= n; +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; } - s->x0 = XOR(s->x0, PAD(n % 8)); + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/word.h index 688e605..d685b5e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi32_lowsize/word.h @@ -2,104 +2,115 @@ #define WORD_H_ #include +#include +#include "config.h" #include "endian.h" #include "forceinline.h" #include "interleave.h" -typedef struct { - uint32_t e; - uint32_t o; -} word_t; - -forceinline uint32_t ROR32(uint32_t x, int n) { - return (n == 0) ? x : x >> n | x << (32 - n); -} - -forceinline word_t ROR(word_t x, int n) { - word_t r; - r.e = (n % 2) ? ROR32(x.o, (n - 1) / 2) : ROR32(x.e, n / 2); - r.o = (n % 2) ? ROR32(x.e, (n + 1) / 2) : ROR32(x.o, n / 2); - return r; -} +#if ASCON_EXTERN_BI -forceinline word_t WORD_T(uint64_t x) { return (word_t){.o = x >> 32, .e = x}; } +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline uint64_t UINT64_T(word_t x) { return (uint64_t)x.o << 32 | x.e; } +#else -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(deinterleave32(x)); } +#define U64TOWORD(x) TOBI(x) +#define WORDTOU64(x) FROMBI(x) -forceinline uint64_t WORDTOU64(word_t w) { return interleave32(UINT64_T(w)); } +#endif -forceinline word_t NOT(word_t a) { - a.e = ~a.e; - a.o = ~a.o; - return a; -} +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -forceinline word_t XOR(word_t a, word_t b) { - a.e ^= b.e; - a.o ^= b.o; - return a; +forceinline uint32_t ROR32(uint32_t x, int n) { + return x >> n | x << (-n & 31); } -forceinline word_t AND(word_t a, word_t b) { - a.e &= b.e; - a.o &= b.o; - return a; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; + b.w[0] = (n % 2) ? ROR32(a.w[1], (n - 1) / 2) : ROR32(a.w[0], n / 2); + b.w[1] = (n % 2) ? ROR32(a.w[0], (n + 1) / 2) : ROR32(a.w[1], n / 2); + return b.x; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t r; - r.e = lo2hi.e << 16 | hi2lo.e >> 16; - r.o = lo2hi.o << 16 | hi2lo.o >> 16; - return r; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; + w.w[0] = lo2hi.w[0] << 16 | hi2lo.w[0] >> 16; + w.w[1] = lo2hi.w[1] << 16 | hi2lo.w[1] >> 16; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint32_t result = a.e | a.o | b.e | b.o; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { - return WORD_T((uint64_t)(0x8ul << (28 - 4 * i)) << 32); +#if ASCON_EXTERN_BI + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +#else + +forceinline uint64_t PAD(int i) { + return ((uint64_t)((uint32_t)0x08 << (28 - 4 * i)) << 32); } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 57) | /* 0000x */ + ((len & 0x02) << 25) | /* 000x0 */ + ((len & 0x04) << 56) | /* 00x00 */ + ((len & 0x08) << 24) | /* 0x000 */ + ((len & 0x10) << 55); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint32_t mask = 0x0fffffff >> (n * 4 - 4); - w.e &= mask; - w.o &= mask; - return w; + uint32_t mask = 0xffffffffull >> (4 * n); + return w & ((uint64_t)mask << 32 | mask); } +#endif + forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/config.h index f5873d0..525682c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/config.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/config.h @@ -16,4 +16,14 @@ #define ASCON_UNROLL_LOOPS 0 #endif +/* inline bitinterleaving */ +#ifndef ASCON_INLINE_BI +#define ASCON_INLINE_BI 0 +#endif + +/* extern bitinterleaving */ +#ifndef ASCON_EXTERN_BI +#define ASCON_EXTERN_BI 0 +#endif + #endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.c new file mode 100644 index 0000000..7801918 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.c @@ -0,0 +1,8 @@ +#include "constants.h" + +#if !ASCON_UNROLL_LOOPS + +const uint64_t constants[] = {RC0, RC1, RC2, RC3, RC4, RC5, + RC6, RC7, RC8, RC9, RCa, RCb}; + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.h new file mode 100644 index 0000000..6c38206 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x8040000020301000ull +#define ASCON_128A_IV 0xc000000030200000ull +#define ASCON_80PQ_IV 0x8040800020301000ull +#define ASCON_HASH_IV 0x0040000020200002ull +#define ASCON_HASHA_IV 0x0040000020300002ull +#define ASCON_XOF_IV 0x0040000020200000ull +#define ASCON_XOFA_IV 0x0040000020300000ull + +#define ASCON_PRF_IV 0xe000000020200000ull +#define ASCON_MAC_IV 0xe100000020200000ull +#define ASCON_PRFS_IV 0x9020000020200000ull + +#define ASCON_HASH_IV0 0xfa8e976bb985dc4dull +#define ASCON_HASH_IV1 0xc8085072a40ccd94ull +#define ASCON_HASH_IV2 0xfe1781be5a847314ull +#define ASCON_HASH_IV3 0x2f871f6c6d0082b2ull +#define ASCON_HASH_IV4 0x7a1ba68850ec407eull + +#define ASCON_HASHA_IV0 0x194c0f180a5d41e4ull +#define ASCON_HASHA_IV1 0x7faa87825647f3a7ull +#define ASCON_HASHA_IV2 0x606dbe06db8da430ull +#define ASCON_HASHA_IV3 0xe0dd6bcf19fbce3bull +#define ASCON_HASHA_IV4 0x9720dc4446473d8bull + +#define ASCON_XOF_IV0 0x8a46f0d354e771b8ull +#define ASCON_XOF_IV1 0x04489f4084368cd0ull +#define ASCON_XOF_IV2 0x6c94f2150dbcf66cull +#define ASCON_XOF_IV3 0x48965294f143b44eull +#define ASCON_XOF_IV4 0x0788515fe0e5fb8aull + +#define ASCON_XOFA_IV0 0x4ab43d4f16a80d2cull +#define ASCON_XOFA_IV1 0xd0ae310bf0f619ceull +#define ASCON_XOFA_IV2 0xc08cf3c801d89cf3ull +#define ASCON_XOFA_IV3 0x3859d2094dac0b35ull +#define ASCON_XOFA_IV4 0xd274992be52b5357ull + +#define RC0 0x0101010100000000ull +#define RC1 0x0101010000000001ull +#define RC2 0x0101000100000100ull +#define RC3 0x0101000000000101ull +#define RC4 0x0100010100010000ull +#define RC5 0x0100010000010001ull +#define RC6 0x0100000100010100ull +#define RC7 0x0100000000010101ull +#define RC8 0x0001010101000000ull +#define RC9 0x0001010001000001ull +#define RCa 0x0001000101000100ull +#define RCb 0x0001000001000101ull + +#define RC(i) (constants[i]) +#define START(n) (12 - (n)) +#define INC 1 +#define END 12 + +extern const uint64_t constants[]; + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.c index 659255b..1fa6134 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.c @@ -1,12 +1,9 @@ #include "interleave.h" -/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ -uint64_t interleave8(uint64_t x) { - x = (x & 0xaa55aa55aa55aa55ull) | ((x & 0x00aa00aa00aa00aaull) << 7) | - ((x >> 7) & 0x00aa00aa00aa00aaull); - x = (x & 0xcccc3333cccc3333ull) | ((x & 0x0000cccc0000ccccull) << 14) | - ((x >> 14) & 0x0000cccc0000ccccull); - x = (x & 0xf0f0f0f00f0f0f0full) | ((x & 0x00000000f0f0f0f0ull) << 28) | - ((x >> 28) & 0x00000000f0f0f0f0ull); - return x; -} +#if !ASCON_INLINE_BI + +uint64_t TOBI(uint64_t in) { return interleave8(in); } + +uint64_t FROMBI(uint64_t in) { return interleave8(in); } + +#endif \ No newline at end of file diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.h index fa9e921..d8e7d12 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/interleave.h @@ -3,8 +3,35 @@ #include +#include "config.h" #include "forceinline.h" -uint64_t interleave8(uint64_t x); +#if ASCON_EXTERN_BI + +#define TOBI +#define FROMBI + +#elif ASCON_INLINE_BI + +#define TOBI interleave8 +#define FROMBI interleave8 + +#else + +uint64_t TOBI(uint64_t in); +uint64_t FROMBI(uint64_t in); + +#endif + +/* credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ +forceinline uint64_t interleave8(uint64_t x) { + x = (x & 0xaa55aa55aa55aa55ull) | ((x & 0x00aa00aa00aa00aaull) << 7) | + ((x >> 7) & 0x00aa00aa00aa00aaull); + x = (x & 0xcccc3333cccc3333ull) | ((x & 0x0000cccc0000ccccull) << 14) | + ((x >> 14) & 0x0000cccc0000ccccull); + x = (x & 0xf0f0f0f00f0f0f0full) | ((x & 0x00000000f0f0f0f0ull) << 28) | + ((x >> 28) & 0x00000000f0f0f0f0ull); + return x; +} #endif /* INTERLEAVE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.c index b03de98..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.c @@ -1,19 +1,22 @@ #include "permutations.h" -#if !ASCON_UNROLL_LOOPS +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -const uint64_t constants[12] = { - 0x0101010100000000ull, 0x0101010000000001ull, 0x0101000100000100ull, - 0x0101000000000101ull, 0x0100010100010000ull, 0x0100010000010001ull, - 0x0100000100010100ull, 0x0100000000010101ull, 0x0001010101000000ull, - 0x0001010001000001ull, 0x0001000101000100ull, 0x0001000001000101ull}; +void P12(state_t* s) { P12ROUNDS(s); } #endif -#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS -void P12(state_t* s) { P12ROUNDS(s); } void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.h index f0d971a..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x8040000020301000ull) -#define ASCON_128A_IV WORD_T(0xc000000030200000ull) -#define ASCON_80PQ_IV WORD_T(0x8040800020301000ull) -#define ASCON_HASH_IV WORD_T(0x0040000020200002ull) -#define ASCON_XOF_IV WORD_T(0x0040000020200000ull) - -#define ASCON_HASH_IV0 WORD_T(0xfa8e976bb985dc4dull) -#define ASCON_HASH_IV1 WORD_T(0xc8085072a40ccd94ull) -#define ASCON_HASH_IV2 WORD_T(0xfe1781be5a847314ull) -#define ASCON_HASH_IV3 WORD_T(0x2f871f6c6d0082b2ull) -#define ASCON_HASH_IV4 WORD_T(0x7a1ba68850ec407eull) - -#define ASCON_HASHA_IV0 WORD_T(0x194c0f180a5d41e4ull) -#define ASCON_HASHA_IV1 WORD_T(0x7faa87825647f3a7ull) -#define ASCON_HASHA_IV2 WORD_T(0x606dbe06db8da430ull) -#define ASCON_HASHA_IV3 WORD_T(0xe0dd6bcf19fbce3bull) -#define ASCON_HASHA_IV4 WORD_T(0x9720dc4446473d8bull) - -#define ASCON_XOF_IV0 WORD_T(0x8a46f0d354e771b8ull) -#define ASCON_XOF_IV1 WORD_T(0x04489f4084368cd0ull) -#define ASCON_XOF_IV2 WORD_T(0x6c94f2150dbcf66cull) -#define ASCON_XOF_IV3 WORD_T(0x48965294f143b44eull) -#define ASCON_XOF_IV4 WORD_T(0x0788515fe0e5fb8aull) - -#define ASCON_XOFA_IV0 WORD_T(0x4ab43d4f16a80d2cull) -#define ASCON_XOFA_IV1 WORD_T(0xd0ae310bf0f619ceull) -#define ASCON_XOFA_IV2 WORD_T(0xc08cf3c801d89cf3ull) -#define ASCON_XOFA_IV3 WORD_T(0x3859d2094dac0b35ull) -#define ASCON_XOFA_IV4 WORD_T(0xd274992be52b5357ull) - -#define START(n) (12 - n) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0x0101010100000000ull)); - ROUND(s, RC(0x0101010000000001ull)); - ROUND(s, RC(0x0101000100000100ull)); - ROUND(s, RC(0x0101000000000101ull)); - ROUND(s, RC(0x0100010100010000ull)); - ROUND(s, RC(0x0100010000010001ull)); - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0x0100010100010000ull)); - ROUND(s, RC(0x0100010000010001ull)); - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x0100000100010100ull)); - ROUND(s, RC(0x0100000000010101ull)); - ROUND(s, RC(0x0001010101000000ull)); - ROUND(s, RC(0x0001010001000001ull)); - ROUND(s, RC(0x0001000101000100ull)); - ROUND(s, RC(0x0001000001000101ull)); -} - -extern const uint64_t constants[12]; - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i < 12; i++) ROUND(s, RC(constants[i])); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.c index 6cb5f4d..0de03e6 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.c @@ -1,21 +1,40 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); +#ifdef ASCON_PRINT_BI + printf(" "); + printf(" x0=%016" PRIx64, s->x[0]); + printf(" x1=%016" PRIx64, s->x[1]); + printf(" x2=%016" PRIx64, s->x[2]); + printf(" x3=%016" PRIx64, s->x[3]); + printf(" x4=%016" PRIx64, s->x[4]); +#endif + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/round.h index b4635a6..2b8d9f1 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint64_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/word.h index 72d9290..706c5c6 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/bi8/word.h @@ -2,20 +2,25 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" #include "interleave.h" typedef union { - uint64_t w; + uint64_t x; + uint32_t w[2]; uint8_t b[8]; } word_t; +#define U64TOWORD(x) interleave8(U64BIG(x)) +#define WORDTOU64(x) U64BIG(interleave8(x)) + forceinline uint8_t ROR8(uint8_t a, int n) { return a >> n | a << (8 - n); } -forceinline word_t ROR(word_t a, int n) { - word_t b; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t b, a = {.x = x}; b.b[0] = ROR8(a.b[(n + 0) & 0x7], (n + 0) >> 3); b.b[1] = ROR8(a.b[(n + 1) & 0x7], (n + 1) >> 3); b.b[2] = ROR8(a.b[(n + 2) & 0x7], (n + 2) >> 3); @@ -24,42 +29,11 @@ forceinline word_t ROR(word_t a, int n) { b.b[5] = ROR8(a.b[(n + 5) & 0x7], (n + 5) >> 3); b.b[6] = ROR8(a.b[(n + 6) & 0x7], (n + 6) >> 3); b.b[7] = ROR8(a.b[(n + 7) & 0x7], (n + 7) >> 3); - return b; -} - -forceinline word_t WORD_T(uint64_t x) { - word_t w; - w.w = x; - return w; -} - -forceinline uint64_t UINT64_T(word_t w) { - uint64_t x; - x = w.w; - return x; + return b.x; } -forceinline word_t U64TOWORD(uint64_t x) { return WORD_T(interleave8(x)); } - -forceinline uint64_t WORDTOU64(word_t w) { return interleave8(UINT64_T(w)); } - -forceinline word_t NOT(word_t a) { - a.w = ~a.w; - return a; -} - -forceinline word_t XOR(word_t a, word_t b) { - a.w ^= b.w; - return a; -} - -forceinline word_t AND(word_t a, word_t b) { - a.w &= b.w; - return a; -} - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - word_t w; +forceinline uint64_t KEYROT(uint64_t a, uint64_t b) { + word_t w, lo2hi = {.x = a}, hi2lo = {.x = b}; w.b[0] = lo2hi.b[0] << 4 | hi2lo.b[0] >> 4; w.b[1] = lo2hi.b[1] << 4 | hi2lo.b[1] >> 4; w.b[2] = lo2hi.b[2] << 4 | hi2lo.b[2] >> 4; @@ -68,20 +42,28 @@ forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { w.b[5] = lo2hi.b[5] << 4 | hi2lo.b[5] >> 4; w.b[6] = lo2hi.b[6] << 4 | hi2lo.b[6] >> 4; w.b[7] = lo2hi.b[7] << 4 | hi2lo.b[7] >> 4; - return w; + return w.x; } -forceinline int NOTZERO(word_t a, word_t b) { - uint64_t result = a.w | b.w; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return (word_t){.b[7] = 0x80 >> i}; } +forceinline uint64_t PAD(int i) { return (uint64_t)(0x80 >> i) << 56; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { + return ((len & 0x01) << 30) | /* 0000x */ + ((len & 0x02) << 37) | /* 000x0 */ + ((len & 0x04) << 44) | /* 00x00 */ + ((len & 0x08) << 51) | /* 0x000 */ + ((len & 0x10) << 58); /* x0000 */ +} + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ uint8_t m = 0xff >> n; word_t mask = { @@ -94,7 +76,7 @@ forceinline word_t CLEAR(word_t w, int n) { .b[6] = m, .b[7] = m, }; - return AND(w, mask); + return w & mask.x; } forceinline uint64_t MASK(int n) { @@ -102,26 +84,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/api.h new file mode 100644 index 0000000..3be5441 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/api.h @@ -0,0 +1,6 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.c b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.c new file mode 100644 index 0000000..a4ca5ac --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.c @@ -0,0 +1,117 @@ +#include "core.h" + +#include + +void ascon_duplex(state* s, unsigned char* out, const unsigned char* in, + unsigned long len, u8 mode) { + u32_2 tmp; + + while (len >= RATE) { + tmp.h = ((u32*)in)[0]; + tmp.l = ((u32*)in)[1]; + tmp = ascon_rev8_half(tmp); + s->x0.h ^= tmp.h; + s->x0.l ^= tmp.l; + + if (mode != ASCON_AD) { + ((u32*)out)[0] = U32BIG(s->x0.h); + ((u32*)out)[1] = U32BIG(s->x0.l); + } + if (mode == ASCON_DEC) { + s->x0 = tmp; + } + + P(s, PB_START_ROUND, PB_ROUNDS); + + in += RATE; + out += RATE; + len -= RATE; + } + + u8* bytes = (u8*)&tmp; + memset(bytes, 0, sizeof tmp); + memcpy(bytes, in, len); + bytes[len] ^= 0x80; + + tmp = ascon_rev8_half(tmp); + s->x0.h ^= tmp.h; + s->x0.l ^= tmp.l; + + if (mode != ASCON_AD) { + tmp = ascon_rev8_half(s->x0); + memcpy(out, bytes, len); + } + if (mode == ASCON_DEC) { + memcpy(bytes, in, len); + tmp = ascon_rev8_half(tmp); + s->x0 = tmp; + } +} + +void ascon_core(state* s, unsigned char* out, const unsigned char* in, + unsigned long long tlen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k, u8 mode) { + u32_4 tmp; + u32_2 K0, K1, K2, N0, N1; + + // load key + K0.h = U32BIG(((u32*)k)[0]); + tmp.words[0].h = ((u32*)k)[1]; + tmp.words[0].l = ((u32*)k)[2]; + tmp.words[1].h = ((u32*)k)[3]; + tmp.words[1].l = ((u32*)k)[4]; + tmp = ascon_rev8(tmp); + K0.l = tmp.words[0].h; + K1 = tmp.words[0]; + K2 = tmp.words[1]; + + // load nonce + tmp.words[0].h = ((u32*)npub)[0]; + tmp.words[0].l = ((u32*)npub)[1]; + tmp.words[1].h = ((u32*)npub)[2]; + tmp.words[1].l = ((u32*)npub)[3]; + tmp = ascon_rev8(tmp); + N0 = tmp.words[0]; + N1 = tmp.words[1]; + + // initialization + to_big_immediate(s->x0, IV); + s->x0.l = K0.h; + s->x1.h = K1.h; + s->x1.l = K1.l; + s->x2.h = K2.h; + s->x2.l = K2.l; + s->x3.h = N0.h; + s->x3.l = N0.l; + s->x4.h = N1.h; + s->x4.l = N1.l; + P(s, PA_START_ROUND, PA_ROUNDS); + s->x2.l ^= K0.h; + s->x3.h ^= K1.h; + s->x3.l ^= K1.l; + s->x4.h ^= K2.h; + s->x4.l ^= K2.l; + + // process associated data + if (adlen) { + ascon_duplex(s, (void*)0, ad, adlen, ASCON_AD); + P(s, PB_START_ROUND, PB_ROUNDS); + } + s->x4.l ^= 1; + + // process plaintext/ciphertext + ascon_duplex(s, out, in, tlen, mode); + + // finalization + s->x1.h ^= K0.h; + s->x1.l ^= K1.h; + s->x2.h ^= K1.l; + s->x2.l ^= K2.h; + s->x3.h ^= K2.l; + P(s, PA_START_ROUND, PA_ROUNDS); + s->x3.h ^= K1.h; + s->x3.l ^= K1.l; + s->x4.h ^= K2.h; + s->x4.l ^= K2.l; +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.h b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.h new file mode 100644 index 0000000..6a16e40 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/core.h @@ -0,0 +1,29 @@ +#ifndef CORE_H_ +#define CORE_H_ + +#include "api.h" +#include "endian.h" +#include "permutations.h" + +#define ASCON_AD 0 +#define ASCON_ENC 1 +#define ASCON_DEC 2 + +#define RATE (64 / 8) +#define PA_ROUNDS 12 +#define PB_ROUNDS 6 +#define PA_START_ROUND 0xf0 +#define PB_START_ROUND 0x96 +#define IV \ + ((u64)(8 * (CRYPTO_KEYBYTES)) << 0 | (u64)(8 * (RATE)) << 8 | \ + (u64)(PA_ROUNDS) << 16 | (u64)(PB_ROUNDS) << 24) + +void process_data(state* s, unsigned char* out, const unsigned char* in, + unsigned long long len, u8 mode); + +void ascon_core(state* s, unsigned char* out, const unsigned char* in, + unsigned long long tlen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k, u8 mode); + +#endif // CORE_H_ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/decrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/decrypt.c new file mode 100644 index 0000000..2f0e960 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/decrypt.c @@ -0,0 +1,38 @@ +#include "core.h" + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + if (clen < CRYPTO_ABYTES) { + *mlen = 0; + return -1; + } + + state s; + u32_4 tmp; + (void)nsec; + + // set plaintext size + *mlen = clen - CRYPTO_ABYTES; + + ascon_core(&s, m, c, *mlen, ad, adlen, npub, k, ASCON_DEC); + + tmp.words[0].h = ((u32*)(c + *mlen))[0]; + tmp.words[0].l = ((u32*)(c + *mlen))[1]; + tmp.words[1].h = ((u32*)(c + *mlen))[2]; + tmp.words[1].l = ((u32*)(c + *mlen))[3]; + tmp = ascon_rev8(tmp); + u32_2 t0 = tmp.words[0]; + u32_2 t1 = tmp.words[1]; + + // verify tag (should be constant time, check compiler output) + if (((s.x3.h ^ t0.h) | (s.x3.l ^ t0.l) | (s.x4.h ^ t1.h) | (s.x4.l ^ t1.l)) != + 0) { + *mlen = 0; + return -1; + } + + return 0; +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/encrypt.c new file mode 100644 index 0000000..8f74e44 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/encrypt.c @@ -0,0 +1,28 @@ +#include "core.h" + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state s; + u32_4 tmp; + (void)nsec; + + // set ciphertext size + *clen = mlen + CRYPTO_ABYTES; + + ascon_core(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENC); + + tmp.words[0] = s.x3; + tmp.words[1] = s.x4; + tmp = ascon_rev8(tmp); + + // set tag + ((u32*)(c + mlen))[0] = tmp.words[0].h; + ((u32*)(c + mlen))[1] = tmp.words[0].l; + ((u32*)(c + mlen))[2] = tmp.words[1].h; + ((u32*)(c + mlen))[3] = tmp.words[1].l; + + return 0; +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/endian.h new file mode 100644 index 0000000..b4d18f5 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/endian.h @@ -0,0 +1,29 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +// macros for big endian machines +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +// macros for little endian machines +#define U64BIG(x) \ + ((((x)&0x00000000000000FFULL) << 56) | (((x)&0x000000000000FF00ULL) << 40) | \ + (((x)&0x0000000000FF0000ULL) << 24) | (((x)&0x00000000FF000000ULL) << 8) | \ + (((x)&0x000000FF00000000ULL) >> 8) | (((x)&0x0000FF0000000000ULL) >> 24) | \ + (((x)&0x00FF000000000000ULL) >> 40) | (((x)&0xFF00000000000000ULL) >> 56)) +#define U32BIG(x) \ + ((((x)&0x000000FF) << 24) | (((x)&0x0000FF00) << 8) | \ + (((x)&0x00FF0000) >> 8) | (((x)&0xFF000000) >> 24)) +#define U16BIG(x) ((((x)&0x00FF) << 8) | (((x)&0xFF00) >> 8)) + +#else +#error "ascon byte order macros not defined in endian.h" +#endif + +#endif // ENDIAN_H_ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/implementors new file mode 100644 index 0000000..38a64ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/implementors @@ -0,0 +1,3 @@ +Christoph Dobraunig +Martin Schläffer +Ferdinand Bachmann diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.c new file mode 100644 index 0000000..b6e3010 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.c @@ -0,0 +1,95 @@ +#include "permutations.h" + +#include "endian.h" + +u32_4 ascon_rev8(u32_4 in) { + in.words[0].h = U32BIG(in.words[0].h); + in.words[0].l = U32BIG(in.words[0].l); + in.words[1].h = U32BIG(in.words[1].h); + in.words[1].l = U32BIG(in.words[1].l); + return in; +} + +u32_2 ascon_rev8_half(u32_2 in) { + in.h = U32BIG(in.h); + in.l = U32BIG(in.l); + return in; +} + +#define SBOX(x0, x1, x2, x3, x4, r0, t0, t1, t2) \ + do { \ + t1 = x0 ^ x4; \ + t2 = x3 ^ x4; \ + t0 = -1; \ + x4 = x4 ^ t0; \ + t0 = x1 ^ x2; \ + x4 = x4 | x3; \ + x4 = x4 ^ t0; \ + x3 = x3 ^ x1; \ + x3 = x3 | t0; \ + x3 = x3 ^ t1; \ + x2 = x2 ^ t1; \ + x2 = x2 | x1; \ + x2 = x2 ^ t2; \ + x0 = x0 | t2; \ + x0 = x0 ^ t0; \ + t0 = -1; \ + t1 = t1 ^ t0; \ + x1 = x1 & t1; \ + x1 = x1 ^ t2; \ + r0 = x0; \ + } while (0) + +#define SRC(o, h, l, amt) \ + do { \ + o = (((u64)h << 32) | l) >> amt; \ + } while (0) + +#define LINEAR(dl, dh, sl, sh, sl0, sh0, r0, sl1, sh1, r1, t0) \ + do { \ + SRC(dl, sh0, sl0, r0); \ + SRC(dh, sl0, sh0, r0); \ + dl = dl ^ sl; \ + dh = dh ^ sh; \ + SRC(t0, sh1, sl1, r1); \ + SRC(sh, sl1, sh1, r1); \ + dl = dl ^ t0; \ + dh = dh ^ sh; \ + } while (0) + +void P(state *p, u8 round_const, u8 rounds) { + u32 x0h = p->x0.h, x0l = p->x0.l; + u32 x1h = p->x1.h, x1l = p->x1.l; + u32 x2h = p->x2.h, x2l = p->x2.l; + u32 x3h = p->x3.h, x3l = p->x3.l; + u32 x4h = p->x4.h, x4l = p->x4.l; + u32 t0l, t0h; + u32 rnd = round_const; + u32 tmp0; + + while (rnd >= LAST_ROUND) { + x2l ^= rnd; + + SBOX(x0l, x1l, x2l, x3l, x4l, t0l, t0h, t0l, tmp0); + SBOX(x0h, x1h, x2h, x3h, x4h, t0h, t0h, x0l, tmp0); + + LINEAR(x0l, x0h, x2l, x2h, x2l, x2h, 19, x2l, x2h, 28, tmp0); + LINEAR(x2l, x2h, x4l, x4h, x4l, x4h, 1, x4l, x4h, 6, tmp0); + LINEAR(x4l, x4h, x1l, x1h, x1l, x1h, 7, x1h, x1l, 9, tmp0); + LINEAR(x1l, x1h, x3l, x3h, x3h, x3l, 29, x3h, x3l, 7, tmp0); + LINEAR(x3l, x3h, t0l, t0h, t0l, t0h, 10, t0l, t0h, 17, tmp0); + + rnd -= 15; + } + + p->x0.h = x0h; + p->x0.l = x0l; + p->x1.h = x1h; + p->x1.l = x1l; + p->x2.h = x2h; + p->x2.l = x2l; + p->x3.h = x3h; + p->x3.l = x3l; + p->x4.h = x4h; + p->x4.l = x4l; +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.h new file mode 100644 index 0000000..2ce8279 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/esp32/permutations.h @@ -0,0 +1,50 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +typedef unsigned char u8; +typedef unsigned int u32; +typedef unsigned long long u64; + +typedef struct { + u32 h; + u32 l; +} u32_2; + +typedef struct { + u32_2 words[2]; +} u32_4; + +typedef struct { + u32_2 x0; + u32_2 x1; + u32_2 x2; + u32_2 x3; + u32_2 x4; +} state; + +#define START_ROUND(x) (12 - (x)) +#define LAST_ROUND 0x4b + +u32_4 ascon_rev8(u32_4 in); +u32_2 ascon_rev8_half(u32_2 in); + +#define to_big_immediate(out, in) \ + do { \ + u64 big_in = U64BIG(in); \ + u32 hi = (big_in) >> 32; \ + u32 lo = (u32)(big_in); \ + out.h = hi; \ + out.l = lo; \ + } while (0) + +#define from_big_immediate(out, in) \ + do { \ + u32 hi = in.h; \ + u32 lo = in.l; \ + out = (u64)hi << 32 | lo; \ + out = U64BIG(out); \ + } while (0) + +void P(state *p, u8 round_const, u8 rounds); + +#endif // PERMUTATIONS_H_ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/ascon.h new file mode 100644 index 0000000..196110e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/ascon.h @@ -0,0 +1,32 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); +void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); +void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); +void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/config.h new file mode 100644 index 0000000..9e814e0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 1 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 1 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/round.h new file mode 100644 index 0000000..1ecc93d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + s->x[2] = ~s->x[2]; + /* linear layer */ + s->x[0] ^= + (s->x[0] >> 19) ^ (s->x[0] << 45) ^ (s->x[0] >> 28) ^ (s->x[0] << 36); + s->x[1] ^= + (s->x[1] >> 61) ^ (s->x[1] << 3) ^ (s->x[1] >> 39) ^ (s->x[1] << 25); + s->x[2] ^= + (s->x[2] >> 1) ^ (s->x[2] << 63) ^ (s->x[2] >> 6) ^ (s->x[2] << 58); + s->x[3] ^= + (s->x[3] >> 10) ^ (s->x[3] << 54) ^ (s->x[3] >> 17) ^ (s->x[3] << 47); + s->x[4] ^= + (s->x[4] >> 7) ^ (s->x[4] << 57) ^ (s->x[4] >> 41) ^ (s->x[4] << 23); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/api.h new file mode 100644 index 0000000..085b24c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/api.h @@ -0,0 +1,7 @@ +#define CRYPTO_VERSION "1.2.6" +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 +#define ASCON_AEAD_RATE 8 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/ascon.h new file mode 100644 index 0000000..70a4dee --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/ascon.h @@ -0,0 +1,36 @@ +#ifndef ASCON_H_ +#define ASCON_H_ + +#include + +#include "word.h" + +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; +} state_t; + +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +#define ASCON_ABSORB 0x1 +#define ASCON_SQUEEZE 0x2 +#define ASCON_INSERT 0x4 +#define ASCON_HASH 0x8 +#define ASCON_ENCRYPT (ASCON_ABSORB | ASCON_SQUEEZE) +#define ASCON_DECRYPT (ASCON_ABSORB | ASCON_SQUEEZE | ASCON_INSERT) + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode); + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode); + +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/config.h new file mode 100644 index 0000000..f5873d0 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/config.h @@ -0,0 +1,19 @@ +#ifndef CONFIG_H_ +#define CONFIG_H_ + +/* inline the ascon mode */ +#ifndef ASCON_INLINE_MODE +#define ASCON_INLINE_MODE 1 +#endif + +/* inline all permutations */ +#ifndef ASCON_INLINE_PERM +#define ASCON_INLINE_PERM 0 +#endif + +/* unroll permutation loops */ +#ifndef ASCON_UNROLL_LOOPS +#define ASCON_UNROLL_LOOPS 0 +#endif + +#endif /* CONFIG_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/encrypt.c new file mode 100644 index 0000000..c6100f6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/encrypt.c @@ -0,0 +1,95 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ + state_t s; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/endian.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/endian.h new file mode 100644 index 0000000..3136f8c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/endian.h @@ -0,0 +1,39 @@ +#ifndef ENDIAN_H_ +#define ENDIAN_H_ + +#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* macros for big endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for big endian machines") +#endif +#define U64BIG(x) (x) +#define U32BIG(x) (x) +#define U16BIG(x) (x) + +#elif defined(_MSC_VER) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) + +/* macros for little endian machines */ +#ifdef PRAGMA_ENDIAN +#pragma message("Using macros for little endian machines") +#endif +#define U64BIG(x) \ + (((0x00000000000000FFULL & (x)) << 56) | \ + ((0x000000000000FF00ULL & (x)) << 40) | \ + ((0x0000000000FF0000ULL & (x)) << 24) | \ + ((0x00000000FF000000ULL & (x)) << 8) | \ + ((0x000000FF00000000ULL & (x)) >> 8) | \ + ((0x0000FF0000000000ULL & (x)) >> 24) | \ + ((0x00FF000000000000ULL & (x)) >> 40) | \ + ((0xFF00000000000000ULL & (x)) >> 56)) +#define U32BIG(x) \ + (((0x000000FF & (x)) << 24) | ((0x0000FF00 & (x)) << 8) | \ + ((0x00FF0000 & (x)) >> 8) | ((0xFF000000 & (x)) >> 24)) +#define U16BIG(x) (((0x00FF & (x)) << 8) | ((0xFF00 & (x)) >> 8)) + +#else +#error "Ascon byte order macros not defined in endian.h" +#endif + +#endif /* ENDIAN_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/forceinline.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/forceinline.h new file mode 100644 index 0000000..ba695cb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/forceinline.h @@ -0,0 +1,19 @@ +#ifndef FORCEINLINE_H_ +#define FORCEINLINE_H_ + +/* define forceinline macro */ +#ifdef _MSC_VER +#define forceinline __forceinline +#elif defined(__GNUC__) +#define forceinline inline __attribute__((__always_inline__)) +#elif defined(__CLANG__) +#if __has_attribute(__always_inline__) +#define forceinline inline __attribute__((__always_inline__)) +#else +#define forceinline inline +#endif +#else +#define forceinline inline +#endif + +#endif /* FORCEINLINE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constbranch b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constbranch new file mode 100644 index 0000000..1a9c048 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constbranch @@ -0,0 +1 @@ +Branches reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constindex b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constindex new file mode 100644 index 0000000..316d11d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/goal-constindex @@ -0,0 +1 @@ +Addresses reviewed 2020-11-13 by Martin Schläffer. diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/implementors b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/implementors new file mode 100644 index 0000000..b110c1a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/implementors @@ -0,0 +1,2 @@ +Christoph Dobraunig +Martin Schläffer diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.c new file mode 100644 index 0000000..46450d4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.c @@ -0,0 +1,28 @@ +#include "permutations.h" + +#if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P6(state_t* s) { P6ROUNDS(s); } + +#endif + +#if !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.h new file mode 100644 index 0000000..feaa7dc --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/permutations.h @@ -0,0 +1,78 @@ +#ifndef PERMUTATIONS_H_ +#define PERMUTATIONS_H_ + +#include + +#include "api.h" +#include "ascon.h" +#include "config.h" +#include "constants.h" +#include "printstate.h" +#include "round.h" + +forceinline void P12ROUNDS(state_t* s) { + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P8ROUNDS(state_t* s) { + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +forceinline void P6ROUNDS(state_t* s) { + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); +} + +#if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12ROUNDS(s); + if (nr == 8) P8ROUNDS(s); + if (nr == 6) P6ROUNDS(s); +} + +#elif !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + +void P12(state_t* s); +void P8(state_t* s); +void P6(state_t* s); + +forceinline void P(state_t* s, int nr) { + if (nr == 12) P12(s); + if (nr == 8) P8(s); + if (nr == 6) P6(s); +} + +#elif ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS + +forceinline void P(state_t* s, int nr) { PROUNDS(s, nr); } + +#else /* !ASCON_INLINE_PERM && !ASCON_UNROLL_LOOPS */ + +void P(state_t* s, int nr); + +#endif + +#endif /* PERMUTATIONS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.c new file mode 100644 index 0000000..9b03f87 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.c @@ -0,0 +1,32 @@ +#ifdef ASCON_PRINT_STATE + +#include "printstate.h" + +#include +#include +#include + +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); +} + +void printstate(const char* text, const state_t* s) { + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.h new file mode 100644 index 0000000..8b95b06 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/printstate.h @@ -0,0 +1,24 @@ +#ifndef PRINTSTATE_H_ +#define PRINTSTATE_H_ + +#ifdef ASCON_PRINT_STATE + +#include "ascon.h" +#include "word.h" + +void printword(const char* text, const uint64_t x); +void printstate(const char* text, const state_t* s); + +#else + +#define printword(text, w) \ + do { \ + } while (0) + +#define printstate(text, s) \ + do { \ + } while (0) + +#endif + +#endif /* PRINTSTATE_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/round.h new file mode 100644 index 0000000..1ecc93d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/round.h @@ -0,0 +1,47 @@ +#ifndef ROUND_H_ +#define ROUND_H_ + +#include "ascon.h" +#include "printstate.h" + +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; + /* round constant */ + s->x[2] ^= C; + /* s-box layer */ + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; + s->x[2] = ~s->x[2]; + /* linear layer */ + s->x[0] ^= + (s->x[0] >> 19) ^ (s->x[0] << 45) ^ (s->x[0] >> 28) ^ (s->x[0] << 36); + s->x[1] ^= + (s->x[1] >> 61) ^ (s->x[1] << 3) ^ (s->x[1] >> 39) ^ (s->x[1] << 25); + s->x[2] ^= + (s->x[2] >> 1) ^ (s->x[2] << 63) ^ (s->x[2] >> 6) ^ (s->x[2] << 58); + s->x[3] ^= + (s->x[3] >> 10) ^ (s->x[3] << 54) ^ (s->x[3] >> 17) ^ (s->x[3] << 47); + s->x[4] ^= + (s->x[4] >> 7) ^ (s->x[4] << 57) ^ (s->x[4] >> 41) ^ (s->x[4] << 23); + printstate(" round output", s); +} + +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + +#endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/update.c new file mode 100644 index 0000000..b81b24e --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/update.c @@ -0,0 +1,77 @@ +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + +void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, + uint8_t mode) { +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } + /* extract data */ + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = tmp; + printstate("insert ciphertext", s); + } + /* compute permutation for full blocks */ +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; + } + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/word.h new file mode 100644 index 0000000..79bfeb4 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt32_lowsize/word.h @@ -0,0 +1,69 @@ +#ifndef WORD_H_ +#define WORD_H_ + +#include +#include + +#include "endian.h" +#include "forceinline.h" + +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; + +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) + +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } + +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; +} + +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; + result |= result >> 32; + result |= result >> 16; + result |= result >> 8; + return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; +} + +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { + /* undefined for n == 0 */ + uint64_t mask = ~0ull >> (8 * n); + return w & mask; +} + +forceinline uint64_t MASK(int n) { + /* undefined for n == 0 */ + return ~0ull >> (64 - 8 * n); +} + +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { + uint64_t x = *(uint64_t*)bytes & MASK(n); + return U64TOWORD(x); +} + +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { + *(uint64_t*)bytes &= ~MASK(n); + *(uint64_t*)bytes |= WORDTOU64(w); +} + +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { + uint64_t x = 0; + memcpy(&x, bytes, n); + return U64TOWORD(x); +} + +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); +} + +#endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/encrypt.c index 1d77bb2..631e60c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/encrypt.c @@ -1,83 +1,220 @@ #include "api.h" -#include "endian.h" +#include "ascon.h" +#include "crypto_aead.h" #include "permutations.h" +#include "printstate.h" -#define RATE (64 / 8) -#define PA_ROUNDS 12 -#define PB_ROUNDS 6 -#define IV \ - ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \ - (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32) +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { - const u64 K0 = U64BIG(*(u64*)(k + 0)) >> 32; - const u64 K1 = U64BIG(*(u64*)(k + 4)); - const u64 K2 = U64BIG(*(u64*)(k + 12)); - const u64 N0 = U64BIG(*(u64*)npub); - const u64 N1 = U64BIG(*(u64*)(npub + 8)); - state s; - u64 i; - (void)nsec; +#ifdef ASCON_AEAD_RATE - // set ciphertext size - *clen = mlen + CRYPTO_ABYTES; +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} - // initialization - s.x0 = IV | K0; - s.x1 = K1; - s.x2 = K2; - s.x3 = N0; - s.x4 = N1; - P12(); - s.x2 ^= K0; - s.x3 ^= K1; - s.x4 ^= K2; +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} - // process associated data +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; if (adlen) { - while (adlen >= RATE) { - s.x0 ^= U64BIG(*(u64*)ad); - P6(); - adlen -= RATE; - ad += RATE; + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; } - for (i = 0; i < adlen; ++i, ++ad) s.x0 ^= INS_BYTE64(*ad, i); - s.x0 ^= INS_BYTE64(0x80, adlen); - P6(); + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); } - s.x4 ^= 1; + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} - // process plaintext - while (mlen >= RATE) { - s.x0 ^= U64BIG(*(u64*)m); - *(u64*)c = U64BIG(s.x0); - P6(); - mlen -= RATE; - m += RATE; - c += RATE; +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; } - for (i = 0; i < mlen; ++i, ++m, ++c) { - s.x0 ^= INS_BYTE64(*m, i); - *c = EXT_BYTE64(s.x0, i); + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; } - s.x0 ^= INS_BYTE64(0x80, mlen); + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} - // finalization - s.x1 ^= K0 << 32 | K1 >> 32; - s.x2 ^= K1 << 32 | K2 >> 32; - s.x3 ^= K2 << 32; - P12(); - s.x3 ^= K1; - s.x4 ^= K2; +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} - // set tag - *(u64*)c = U64BIG(s.x3); - *(u64*)(c + 8) = U64BIG(s.x4); +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); return 0; } +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/round.h index cd8ec34..e5ceb5a 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/round.h @@ -4,49 +4,43 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint8_t C) { state_t t; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - t.x0 = XOR(s->x0, AND(NOT(s->x1), s->x2)); - t.x2 = XOR(s->x2, AND(NOT(s->x3), s->x4)); - t.x4 = XOR(s->x4, AND(NOT(s->x0), s->x1)); - t.x1 = XOR(s->x1, AND(NOT(s->x2), s->x3)); - t.x3 = XOR(s->x3, AND(NOT(s->x4), s->x0)); - t.x1 = XOR(t.x1, t.x0); - t.x3 = XOR(t.x3, t.x2); - t.x0 = XOR(t.x0, t.x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[1] ^= t.x[0]; + t.x[3] ^= t.x[2]; + t.x[0] ^= t.x[4]; /* linear layer */ - s->x2 = XOR(t.x2, ROR(t.x2, 6 - 1)); - s->x3 = XOR(t.x3, ROR(t.x3, 17 - 10)); - s->x4 = XOR(t.x4, ROR(t.x4, 41 - 7)); - s->x0 = XOR(t.x0, ROR(t.x0, 28 - 19)); - s->x1 = XOR(t.x1, ROR(t.x1, 61 - 39)); - s->x2 = XOR(t.x2, ROR(s->x2, 1)); - s->x3 = XOR(t.x3, ROR(s->x3, 10)); - s->x4 = XOR(t.x4, ROR(s->x4, 7)); - s->x0 = XOR(t.x0, ROR(s->x0, 19)); - s->x1 = XOR(t.x1, ROR(s->x1, 39)); - s->x2 = NOT(s->x2); + s->x[2] = t.x[2] ^ ROR(t.x[2], 6 - 1); + s->x[3] = t.x[3] ^ ROR(t.x[3], 17 - 10); + s->x[4] = t.x[4] ^ ROR(t.x[4], 41 - 7); + s->x[0] = t.x[0] ^ ROR(t.x[0], 28 - 19); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61 - 39); + s->x[2] = t.x[2] ^ ROR(s->x[2], 1); + s->x[3] = t.x[3] ^ ROR(s->x[3], 10); + s->x[4] = t.x[4] ^ ROR(s->x[4], 7); + s->x[0] = t.x[0] ^ ROR(s->x[0], 19); + s->x[1] = t.x[1] ^ ROR(s->x[1], 39); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/ascon.h index 471e4a5..70a4dee 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/ascon.h @@ -5,10 +5,20 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + #define ASCON_ABSORB 0x1 #define ASCON_SQUEEZE 0x2 #define ASCON_INSERT 0x4 @@ -19,8 +29,8 @@ typedef struct { void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode); -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t len, const uint8_t* ad, uint64_t adlen, const uint8_t* npub, const uint8_t* k, uint8_t mode); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/config.h index a4f5879..f5873d0 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/config.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 0 +#define ASCON_INLINE_MODE 1 #endif /* inline all permutations */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/crypto_aead.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/crypto_aead.c new file mode 100644 index 0000000..ac5c61a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/crypto_aead.c @@ -0,0 +1,46 @@ +#include "crypto_aead.h" + +#include + +#include "api.h" +#include "ascon.h" +#include "permutations.h" +#include "printstate.h" + +#ifdef ASCON_AEAD_RATE + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + /* set ciphertext size */ + *clen = mlen + CRYPTO_ABYTES; + /* ascon encryption */ + ascon_aead(t, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); + /* set tag */ + for (int i = 0; i < CRYPTO_ABYTES; ++i) c[mlen + i] = t[i]; + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + uint8_t t[16]; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + /* ascon decryption */ + ascon_aead(t, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT); + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= t[i] ^ c[*mlen + i]; + return (((result - 1) >> 8) & 1) - 1; +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/encrypt.c index 4a5b335..c6100f6 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/encrypt.c @@ -1,26 +1,95 @@ #include "api.h" #include "ascon.h" -#include "crypto_aead.h" #include "permutations.h" #include "printstate.h" -void ascon_aead(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen, - const uint8_t* ad, uint64_t adlen, const uint8_t* npub, - const uint8_t* k, uint8_t mode); +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} -int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, - const unsigned char* m, unsigned long long mlen, - const unsigned char* ad, unsigned long long adlen, - const unsigned char* nsec, const unsigned char* npub, - const unsigned char* k) { +void ascon_aead(uint8_t* t, uint8_t* out, const uint8_t* in, uint64_t tlen, + const uint8_t* ad, uint64_t adlen, const uint8_t* npub, + const uint8_t* k, uint8_t mode) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + key_t key; + ascon_loadkey(&key, k); + /* initialize */ state_t s; - (void)nsec; - /* set ciphertext size */ - *clen = mlen + CRYPTO_ABYTES; - /* ascon encryption */ - ascon_aead(&s, c, m, mlen, ad, adlen, npub, k, ASCON_ENCRYPT); - /* set tag */ - STOREBYTES(c + mlen, s.x3, 8); - STOREBYTES(c + mlen + 8, s.x4, 8); - return 0; + ascon_initaead(&s, npub, &key); + /* process associated data */ + if (adlen) { + ascon_update(&s, (void*)0, ad, adlen, ASCON_ABSORB); + printstate("pad adata", &s); + P(&s, nr); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + /* process plaintext/ciphertext */ + ascon_update(&s, out, in, tlen, mode); + if (mode == ASCON_ENCRYPT) printstate("pad plaintext", &s); + if (mode == ASCON_DECRYPT) printstate("pad ciphertext", &s); + /* finalize */ + ascon_final(&s, &key); + ((uint64_t*)t)[0] = WORDTOU64(s.x[3]); + ((uint64_t*)t)[1] = WORDTOU64(s.x[4]); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/round.h index b4635a6..afdf76e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/round.h @@ -4,50 +4,44 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); -} - -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); -} - -forceinline void ROUND(state_t* s, word_t C) { - word_t xtemp; +forceinline void ROUND(state_t* s, uint8_t C) { + uint64_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->x[2] ^= C; /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; + xtemp = s->x[0] & ~s->x[4]; + s->x[0] ^= s->x[2] & ~s->x[1]; + s->x[2] ^= s->x[4] & ~s->x[3]; + s->x[4] ^= s->x[1] & ~s->x[0]; + s->x[1] ^= s->x[3] & ~s->x[2]; + s->x[3] ^= xtemp; + s->x[1] ^= s->x[0]; + s->x[3] ^= s->x[2]; + s->x[0] ^= s->x[4]; /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + xtemp = s->x[0] ^ ROR(s->x[0], 28 - 19); + s->x[0] ^= ROR(xtemp, 19); + xtemp = s->x[1] ^ ROR(s->x[1], 61 - 39); + s->x[1] ^= ROR(xtemp, 39); + xtemp = s->x[2] ^ ROR(s->x[2], 6 - 1); + s->x[2] ^= ROR(xtemp, 1); + xtemp = s->x[3] ^ ROR(s->x[3], 17 - 10); + s->x[3] ^= ROR(xtemp, 10); + xtemp = s->x[4] ^ ROR(s->x[4], 41 - 7); + s->x[4] ^= ROR(xtemp, 7); + s->x[2] = ~s->x[2]; printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/update.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/update.c index 7a4baa8..b81b24e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/update.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/update.c @@ -3,30 +3,75 @@ #include "permutations.h" #include "printstate.h" +#ifdef ASCON_AEAD_RATE + +#if ASCON_AEAD_RATE == ASCON_128_RATE +#define ASCON_AEAD_ROUNDS ASCON_128_PB_ROUNDS +#else +#define ASCON_AEAD_ROUNDS ASCON_128A_PB_ROUNDS +#endif + void ascon_update(state_t* s, uint8_t* out, const uint8_t* in, uint64_t len, uint8_t mode) { - const int rate = 8; - const int nr = 6; - word_t tmp0; - int n = 0; - while (len) { - /* determine block size */ - n = len < rate ? len : rate; +#if defined(ASCON_HASH_BYTES) + const int nr = (mode & ASCON_HASH) ? ASCON_HASH_ROUNDS : ASCON_AEAD_ROUNDS; + const int rate = (mode & ASCON_HASH) ? ASCON_HASH_RATE : ASCON_AEAD_RATE; +#else + const int nr = ASCON_AEAD_ROUNDS; + const int rate = ASCON_AEAD_RATE; +#endif +#if ASCON_AEAD_RATE == 8 + const int i = 0; +#else + int i = 0; +#endif + uint64_t tmp; + while (len >= 8) { /* absorb data */ - tmp0 = LOAD(in, n); - s->x0 = XOR(s->x0, tmp0); +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOAD(in, 8); + s->x[i] ^= tmp; + if (mode == ASCON_ABSORB) printstate("absorb adata", s); + if (mode == ASCON_ENCRYPT) printstate("absorb plaintext", s); + } /* extract data */ - if (mode & ASCON_SQUEEZE) STORE(out, s->x0, n); + if (mode & ASCON_SQUEEZE) { + STORE(out, s->x[i], 8); + if (mode & ASCON_HASH) printstate("squeeze output", s); + } /* insert data */ if (mode & ASCON_INSERT) { - s->x0 = CLEAR(s->x0, n); - s->x0 = XOR(s->x0, tmp0); + s->x[i] = tmp; + printstate("insert ciphertext", s); } /* compute permutation for full blocks */ - if (n == rate) P(s, nr); - in += n; - out += n; - len -= n; +#if ASCON_AEAD_RATE == 16 + if (++i == rate / 8) i = 0; +#endif + if (i == 0) P(s, nr); + in += 8; + out += 8; + len -= 8; } - s->x0 = XOR(s->x0, PAD(n % 8)); + /* absorb data */ +#ifdef ASCON_HASH_BYTES + if (mode & ASCON_ABSORB) +#endif + { + tmp = LOADBYTES(in, len); + s->x[i] ^= tmp; + } + /* extract data */ + if (mode & ASCON_SQUEEZE) STOREBYTES(out, s->x[i], len); + /* insert data */ + if (mode & ASCON_INSERT) { + s->x[i] = CLEAR(s->x[i], len); + s->x[i] ^= tmp; + } + s->x[i] ^= PAD(len); } + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/word.h index 3df73c4..79bfeb4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt64_lowsize/word.h @@ -2,30 +2,27 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" -typedef uint64_t word_t; +typedef union { + uint64_t x; + uint32_t w[2]; + uint8_t b[8]; +} word_t; -#define WORD_T -#define UINT64_T -#define U64TOWORD -#define WORDTOU64 +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) -forceinline word_t ROR(word_t x, int n) { return x >> n | x << (64 - n); } +forceinline uint64_t ROR(uint64_t x, int n) { return x >> n | x << (-n & 63); } -forceinline word_t NOT(word_t a) { return ~a; } - -forceinline word_t XOR(word_t a, word_t b) { return a ^ b; } - -forceinline word_t AND(word_t a, word_t b) { return a & b; } - -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { +forceinline int NOTZERO(uint64_t a, uint64_t b) { uint64_t result = a | b; result |= result >> 32; result |= result >> 16; @@ -33,11 +30,13 @@ forceinline int NOTZERO(word_t a, word_t b) { return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return 0x80ull << (56 - 8 * i); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } + +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); + uint64_t mask = ~0ull >> (8 * n); return w & mask; } @@ -46,24 +45,25 @@ forceinline uint64_t MASK(int n) { return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64BIG(x); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(w); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; - return x; + memcpy(&x, bytes, n); + return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&w)[7 - i]; +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { + uint64_t x = WORDTOU64(w); + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/ascon.h index 990027b..196110e 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/ascon.h @@ -5,14 +5,28 @@ #include "word.h" -typedef struct { - word_t x0, x1, x2, x3, x4; +typedef union { + uint64_t x[5]; + uint32_t w[5][2]; + uint8_t b[5][8]; } state_t; -void ascon_aeadinit(state_t* s, const uint8_t* npub, const uint8_t* k); +typedef struct { +#if (CRYPTO_KEYBYTES == 20) + uint64_t k0; +#endif + uint64_t k1; + uint64_t k2; +} key_t; + +void ascon_initaead(state_t* s, const uint8_t* npub, const key_t* k); void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen); void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, uint64_t mlen); void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, uint64_t clen); -void ascon_final(state_t* s, const uint8_t* k); +void ascon_final(state_t* s, const key_t* k); + +void ascon_inithash(state_t* s); +void ascon_absorb(state_t* s, const uint8_t* in, uint64_t inlen); +void ascon_squeeze(state_t* s, uint8_t* out, uint64_t outlen); -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/config.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/config.h index f5873d0..a4f5879 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/config.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/config.h @@ -3,7 +3,7 @@ /* inline the ascon mode */ #ifndef ASCON_INLINE_MODE -#define ASCON_INLINE_MODE 1 +#define ASCON_INLINE_MODE 0 #endif /* inline all permutations */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/constants.h new file mode 100644 index 0000000..f2cb740 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV 0x80400c0600000000ull +#define ASCON_128A_IV 0x80800c0800000000ull +#define ASCON_80PQ_IV 0xa0400c0600000000ull + +#define ASCON_HASH_IV 0x00400c0000000100ull +#define ASCON_HASHA_IV 0x00400c0400000100ull +#define ASCON_XOF_IV 0x00400c0000000000ull +#define ASCON_XOFA_IV 0x00400c0400000000ull + +#define ASCON_PRF_IV 0x80808c0000000000ull +#define ASCON_MAC_IV 0x80808c0000000080ull +#define ASCON_PRFS_IV 0x80004c8000000000ull + +#define ASCON_HASH_IV0 0xee9398aadb67f03dull +#define ASCON_HASH_IV1 0x8bb21831c60f1002ull +#define ASCON_HASH_IV2 0xb48a92db98d5da62ull +#define ASCON_HASH_IV3 0x43189921b8f8e3e8ull +#define ASCON_HASH_IV4 0x348fa5c9d525e140ull + +#define ASCON_HASHA_IV0 0x01470194fc6528a6ull +#define ASCON_HASHA_IV1 0x738ec38ac0adffa7ull +#define ASCON_HASHA_IV2 0x2ec8e3296c76384cull +#define ASCON_HASHA_IV3 0xd6f6a54d7f52377dull +#define ASCON_HASHA_IV4 0xa13c42a223be8d87ull + +#define ASCON_XOF_IV0 0xb57e273b814cd416ull +#define ASCON_XOF_IV1 0x2b51042562ae2420ull +#define ASCON_XOF_IV2 0x66a3a7768ddf2218ull +#define ASCON_XOF_IV3 0x5aad0a7a8153650cull +#define ASCON_XOF_IV4 0x4f3e0e32539493b6ull + +#define ASCON_XOFA_IV0 0x44906568b77b9832ull +#define ASCON_XOFA_IV1 0xcd8d6cae53455532ull +#define ASCON_XOFA_IV2 0xf7b5212756422129ull +#define ASCON_XOFA_IV3 0x246885e1de0d225bull +#define ASCON_XOFA_IV4 0xa8cb5ce33449973full + +#define RC0 0xf0 +#define RC1 0xe1 +#define RC2 0xd2 +#define RC3 0xc3 +#define RC4 0xb4 +#define RC5 0xa5 +#define RC6 0x96 +#define RC7 0x87 +#define RC8 0x78 +#define RC9 0x69 +#define RCa 0x5a +#define RCb 0x4b + +#define RC(i) (i) + +#define START(n) ((3 + (n)) << 4 | (12 - (n))) +#define INC -0x0f +#define END 0x3c + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/encrypt.c new file mode 100644 index 0000000..631e60c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/encrypt.c @@ -0,0 +1,220 @@ +#include "api.h" +#include "ascon.h" +#include "crypto_aead.h" +#include "permutations.h" +#include "printstate.h" + +#if !ASCON_INLINE_MODE +#undef forceinline +#define forceinline +#endif + +#ifdef ASCON_AEAD_RATE + +forceinline void ascon_loadkey(key_t* key, const uint8_t* k) { +#if CRYPTO_KEYBYTES == 16 + key->k1 = LOAD(k, 8); + key->k2 = LOAD(k + 8, 8); +#else /* CRYPTO_KEYBYTES == 20 */ + key->k0 = KEYROT(0, LOADBYTES(k, 4)); + key->k1 = LOADBYTES(k + 4, 8); + key->k2 = LOADBYTES(k + 12, 8); +#endif +} + +forceinline void ascon_initaead(state_t* s, const uint8_t* npub, + const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) s->x[0] = ASCON_128_IV; + if (ASCON_AEAD_RATE == 16) s->x[0] = ASCON_128A_IV; +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[0] = ASCON_80PQ_IV ^ key->k0; +#endif + s->x[1] = key->k1; + s->x[2] = key->k2; + s->x[3] = LOAD(npub, 8); + s->x[4] = LOAD(npub + 8, 8); + printstate("init 1st key xor", s); + P(s, 12); +#if CRYPTO_KEYBYTES == 20 + s->x[2] ^= key->k0; +#endif + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("init 2nd key xor", s); +} + +forceinline void ascon_adata(state_t* s, const uint8_t* ad, uint64_t adlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(ad, 8); + if (ASCON_AEAD_RATE == 16) s->x[1] ^= LOAD(ad + 8, 8); + printstate("absorb adata", s); + P(s, nr); + ad += ASCON_AEAD_RATE; + adlen -= ASCON_AEAD_RATE; + } + /* final associated data block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && adlen >= 8) { + s->x[0] ^= LOAD(ad, 8); + px = &s->x[1]; + ad += 8; + adlen -= 8; + } + *px ^= PAD(adlen); + if (adlen) *px ^= LOAD(ad, adlen); + printstate("pad adata", s); + P(s, nr); + } + /* domain separation */ + s->x[4] ^= 1; + printstate("domain separation", s); +} + +forceinline void ascon_encrypt(state_t* s, uint8_t* c, const uint8_t* m, + uint64_t mlen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full plaintext blocks */ + while (mlen >= ASCON_AEAD_RATE) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + if (ASCON_AEAD_RATE == 16) { + s->x[1] ^= LOAD(m + 8, 8); + STORE(c + 8, s->x[1], 8); + } + printstate("absorb plaintext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + mlen -= ASCON_AEAD_RATE; + } + /* final plaintext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && mlen >= 8) { + s->x[0] ^= LOAD(m, 8); + STORE(c, s->x[0], 8); + px = &s->x[1]; + m += 8; + c += 8; + mlen -= 8; + } + *px ^= PAD(mlen); + if (mlen) { + *px ^= LOAD(m, mlen); + STORE(c, *px, mlen); + } + printstate("pad plaintext", s); +} + +forceinline void ascon_decrypt(state_t* s, uint8_t* m, const uint8_t* c, + uint64_t clen) { + const int nr = (ASCON_AEAD_RATE == 8) ? 6 : 8; + /* full ciphertext blocks */ + while (clen >= ASCON_AEAD_RATE) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + if (ASCON_AEAD_RATE == 16) { + cx = LOAD(c + 8, 8); + s->x[1] ^= cx; + STORE(m + 8, s->x[1], 8); + s->x[1] = cx; + } + printstate("insert ciphertext", s); + P(s, nr); + m += ASCON_AEAD_RATE; + c += ASCON_AEAD_RATE; + clen -= ASCON_AEAD_RATE; + } + /* final ciphertext block */ + uint64_t* px = &s->x[0]; + if (ASCON_AEAD_RATE == 16 && clen >= 8) { + uint64_t cx = LOAD(c, 8); + s->x[0] ^= cx; + STORE(m, s->x[0], 8); + s->x[0] = cx; + px = &s->x[1]; + m += 8; + c += 8; + clen -= 8; + } + *px ^= PAD(clen); + if (clen) { + uint64_t cx = LOAD(c, clen); + *px ^= cx; + STORE(m, *px, clen); + *px = CLEAR(*px, clen); + *px ^= cx; + } + printstate("pad ciphertext", s); +} + +forceinline void ascon_final(state_t* s, const key_t* key) { +#if CRYPTO_KEYBYTES == 16 + if (ASCON_AEAD_RATE == 8) { + s->x[1] ^= key->k1; + s->x[2] ^= key->k2; + } else { + s->x[2] ^= key->k1; + s->x[3] ^= key->k2; + } +#else /* CRYPTO_KEYBYTES == 20 */ + s->x[1] ^= KEYROT(key->k0, key->k1); + s->x[2] ^= KEYROT(key->k1, key->k2); + s->x[3] ^= KEYROT(key->k2, 0); +#endif + printstate("final 1st key xor", s); + P(s, 12); + s->x[3] ^= key->k1; + s->x[4] ^= key->k2; + printstate("final 2nd key xor", s); +} + +int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + *clen = mlen + CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_encrypt(&s, c, m, mlen); + ascon_final(&s, &key); + /* set tag */ + STOREBYTES(c + mlen, s.x[3], 8); + STOREBYTES(c + mlen + 8, s.x[4], 8); + return 0; +} + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + state_t s; + (void)nsec; + if (clen < CRYPTO_ABYTES) return -1; + *mlen = clen = clen - CRYPTO_ABYTES; + /* perform ascon computation */ + key_t key; + ascon_loadkey(&key, k); + ascon_initaead(&s, npub, &key); + ascon_adata(&s, ad, adlen); + ascon_decrypt(&s, m, c, clen); + ascon_final(&s, &key); + /* verify tag (should be constant time, check compiler output) */ + s.x[3] ^= LOADBYTES(c + clen, 8); + s.x[4] ^= LOADBYTES(c + clen + 8, 8); + return NOTZERO(s.x[3], s.x[4]); +} + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.c index b979cd6..46450d4 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.c @@ -3,7 +3,20 @@ #if !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS void P12(state_t* s) { P12ROUNDS(s); } + +#endif + +#if ((defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 16) || \ + (defined(ASCON_HASH_ROUNDS) && ASCON_HASH_ROUNDS == 8)) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P8(state_t* s) { P8ROUNDS(s); } + +#endif + +#if (defined(ASCON_AEAD_RATE) && ASCON_AEAD_RATE == 8) && \ + !ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS + void P6(state_t* s) { P6ROUNDS(s); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.h index d640357..feaa7dc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/permutations.h @@ -6,103 +6,43 @@ #include "api.h" #include "ascon.h" #include "config.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV WORD_T(0x80400c0600000000ull) -#define ASCON_128A_IV WORD_T(0x80800c0800000000ull) -#define ASCON_80PQ_IV WORD_T(0xa0400c0600000000ull) -#define ASCON_HASH_IV WORD_T(0x00400c0000000100ull) -#define ASCON_HASHA_IV WORD_T(0x00400c0400000100ull) -#define ASCON_XOF_IV WORD_T(0x00400c0000000000ull) -#define ASCON_XOFA_IV WORD_T(0x00400c0400000000ull) - -#define ASCON_HASH_IV0 WORD_T(0xee9398aadb67f03dull) -#define ASCON_HASH_IV1 WORD_T(0x8bb21831c60f1002ull) -#define ASCON_HASH_IV2 WORD_T(0xb48a92db98d5da62ull) -#define ASCON_HASH_IV3 WORD_T(0x43189921b8f8e3e8ull) -#define ASCON_HASH_IV4 WORD_T(0x348fa5c9d525e140ull) - -#define ASCON_HASHA_IV0 WORD_T(0x01470194fc6528a6ull) -#define ASCON_HASHA_IV1 WORD_T(0x738ec38ac0adffa7ull) -#define ASCON_HASHA_IV2 WORD_T(0x2ec8e3296c76384cull) -#define ASCON_HASHA_IV3 WORD_T(0xd6f6a54d7f52377dull) -#define ASCON_HASHA_IV4 WORD_T(0xa13c42a223be8d87ull) - -#define ASCON_XOF_IV0 WORD_T(0xb57e273b814cd416ull) -#define ASCON_XOF_IV1 WORD_T(0x2b51042562ae2420ull) -#define ASCON_XOF_IV2 WORD_T(0x66a3a7768ddf2218ull) -#define ASCON_XOF_IV3 WORD_T(0x5aad0a7a8153650cull) -#define ASCON_XOF_IV4 WORD_T(0x4f3e0e32539493b6ull) - -#define ASCON_XOFA_IV0 WORD_T(0x44906568b77b9832ull) -#define ASCON_XOFA_IV1 WORD_T(0xcd8d6cae53455532ull) -#define ASCON_XOFA_IV2 WORD_T(0xf7b5212756422129ull) -#define ASCON_XOFA_IV3 WORD_T(0x246885e1de0d225bull) -#define ASCON_XOFA_IV4 WORD_T(0xa8cb5ce33449973full) - -#define START(n) ((3 + (n)) << 4 | (12 - (n))) -#define RC(c) WORD_T(c) - forceinline void P12ROUNDS(state_t* s) { - ROUND(s, RC(0xf0)); - ROUND(s, RC(0xe1)); - ROUND(s, RC(0xd2)); - ROUND(s, RC(0xc3)); - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC0); + ROUND(s, RC1); + ROUND(s, RC2); + ROUND(s, RC3); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P8ROUNDS(state_t* s) { - ROUND(s, RC(0xb4)); - ROUND(s, RC(0xa5)); - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); + ROUND(s, RC4); + ROUND(s, RC5); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } forceinline void P6ROUNDS(state_t* s) { - ROUND(s, RC(0x96)); - ROUND(s, RC(0x87)); - ROUND(s, RC(0x78)); - ROUND(s, RC(0x69)); - ROUND(s, RC(0x5a)); - ROUND(s, RC(0x4b)); -} - -forceinline void PROUNDS(state_t* s, int nr) { - for (int i = START(nr); i > 0x4a; i -= 0x0f) ROUND(s, RC(i)); + ROUND(s, RC6); + ROUND(s, RC7); + ROUND(s, RC8); + ROUND(s, RC9); + ROUND(s, RCa); + ROUND(s, RCb); } #if ASCON_INLINE_PERM && ASCON_UNROLL_LOOPS diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/round.h index b4635a6..c059bbc 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/round.h @@ -4,50 +4,61 @@ #include "ascon.h" #include "printstate.h" -forceinline void KINIT(word_t* K0, word_t* K1, word_t* K2) { - *K0 = WORD_T(0); - *K1 = WORD_T(0); - *K2 = WORD_T(0); +forceinline void LINEAR_LAYER(state_t* s, uint64_t xtemp) { + uint64_t temp; + temp = s->x[2] ^ ROR(s->x[2], 28 - 19); + s->x[0] = s->x[2] ^ ROR(temp, 19); + temp = s->x[4] ^ ROR(s->x[4], 6 - 1); + s->x[2] = s->x[4] ^ ROR(temp, 1); + temp = s->x[1] ^ ROR(s->x[1], 41 - 7); + s->x[4] = s->x[1] ^ ROR(temp, 7); + temp = s->x[3] ^ ROR(s->x[3], 61 - 39); + s->x[1] = s->x[3] ^ ROR(temp, 39); + temp = xtemp ^ ROR(xtemp, 17 - 10); + s->x[3] = xtemp ^ ROR(temp, 10); } -forceinline void PINIT(state_t* s) { - s->x0 = WORD_T(0); - s->x1 = WORD_T(0); - s->x2 = WORD_T(0); - s->x3 = WORD_T(0); - s->x4 = WORD_T(0); +forceinline void NONLINEAR_LAYER(state_t* s, word_t* xtemp, uint8_t pos) { + uint8_t t0; + uint8_t t1; + uint8_t t2; + // Based on the round description of Ascon given in the Bachelor's thesis: + //"Optimizing Ascon on RISC-V" of Lars Jellema + // see https://github.com/Lucus16/ascon-riscv/ + t0 = XOR8(s->b[1][pos], s->b[2][pos]); + t1 = XOR8(s->b[0][pos], s->b[4][pos]); + t2 = XOR8(s->b[3][pos], s->b[4][pos]); + s->b[4][pos] = OR8(s->b[3][pos], NOT8(s->b[4][pos])); + s->b[4][pos] = XOR8(s->b[4][pos], t0); + s->b[3][pos] = XOR8(s->b[3][pos], s->b[1][pos]); + s->b[3][pos] = OR8(s->b[3][pos], t0); + s->b[3][pos] = XOR8(s->b[3][pos], t1); + s->b[2][pos] = XOR8(s->b[2][pos], t1); + s->b[2][pos] = OR8(s->b[2][pos], s->b[1][pos]); + s->b[2][pos] = XOR8(s->b[2][pos], t2); + s->b[1][pos] = AND8(s->b[1][pos], NOT8(t1)); + s->b[1][pos] = XOR8(s->b[1][pos], t2); + s->b[0][pos] = OR8(s->b[0][pos], t2); + (*xtemp).b[pos] = XOR8(s->b[0][pos], t0); } -forceinline void ROUND(state_t* s, word_t C) { +forceinline void ROUND(state_t* s, uint8_t C) { word_t xtemp; /* round constant */ - s->x2 = XOR(s->x2, C); + s->b[2][0] = XOR8(s->b[2][0], C); /* s-box layer */ - s->x0 = XOR(s->x0, s->x4); - s->x4 = XOR(s->x4, s->x3); - s->x2 = XOR(s->x2, s->x1); - xtemp = AND(s->x0, NOT(s->x4)); - s->x0 = XOR(s->x0, AND(s->x2, NOT(s->x1))); - s->x2 = XOR(s->x2, AND(s->x4, NOT(s->x3))); - s->x4 = XOR(s->x4, AND(s->x1, NOT(s->x0))); - s->x1 = XOR(s->x1, AND(s->x3, NOT(s->x2))); - s->x3 = XOR(s->x3, xtemp); - s->x1 = XOR(s->x1, s->x0); - s->x3 = XOR(s->x3, s->x2); - s->x0 = XOR(s->x0, s->x4); + for (uint8_t i = 0; i < 8; i++) NONLINEAR_LAYER(s, &xtemp, i); /* linear layer */ - xtemp = XOR(s->x0, ROR(s->x0, 28 - 19)); - s->x0 = XOR(s->x0, ROR(xtemp, 19)); - xtemp = XOR(s->x1, ROR(s->x1, 61 - 39)); - s->x1 = XOR(s->x1, ROR(xtemp, 39)); - xtemp = XOR(s->x2, ROR(s->x2, 6 - 1)); - s->x2 = XOR(s->x2, ROR(xtemp, 1)); - xtemp = XOR(s->x3, ROR(s->x3, 17 - 10)); - s->x3 = XOR(s->x3, ROR(xtemp, 10)); - xtemp = XOR(s->x4, ROR(s->x4, 41 - 7)); - s->x4 = XOR(s->x4, ROR(xtemp, 7)); - s->x2 = NOT(s->x2); + LINEAR_LAYER(s, xtemp.x); printstate(" round output", s); } +forceinline void PROUNDS(state_t* s, int nr) { + int i = START(nr); + do { + ROUND(s, RC(i)); + i += INC; + } while (i != END); +} + #endif /* ROUND_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/word.h index cda2e83..4fd3cf0 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/opt8/word.h @@ -2,17 +2,19 @@ #define WORD_H_ #include +#include #include "endian.h" #include "forceinline.h" typedef union { - uint64_t w; + uint64_t x; + uint32_t w[2]; uint8_t b[8]; } word_t; -#define U64TOWORD WORD_T -#define WORDTOU64 UINT64_T +#define U64TOWORD(x) U64BIG(x) +#define WORDTOU64(x) U64BIG(x) #define XMUL(i, x) \ do { \ @@ -21,8 +23,8 @@ typedef union { b.b[(byte_rol + (i) + 1) & 0x7] ^= tmp >> 8; \ } while (0) -forceinline word_t ROR(word_t a, int n) { - word_t b = {.w = 0ull}; +forceinline uint64_t ROR(uint64_t x, int n) { + word_t a = {.x = x}, b = {.x = 0ull}; int bit_rol = (64 - n) & 0x7; int byte_rol = (64 - n) >> 3; uint16_t tmp; @@ -34,73 +36,63 @@ forceinline word_t ROR(word_t a, int n) { XMUL(5, bit_rol); XMUL(6, bit_rol); XMUL(7, bit_rol); - return b; + return b.x; } -forceinline word_t WORD_T(uint64_t x) { return (word_t){.w = x}; } +forceinline uint8_t NOT8(uint8_t a) { return ~a; } -forceinline uint64_t UINT64_T(word_t w) { return w.w; } +forceinline uint8_t XOR8(uint8_t a, uint8_t b) { return a ^ b; } -forceinline word_t NOT(word_t a) { - a.w = ~a.w; - return a; -} - -forceinline word_t XOR(word_t a, word_t b) { - a.w ^= b.w; - return a; -} +forceinline uint8_t AND8(uint8_t a, uint8_t b) { return a & b; } -forceinline word_t AND(word_t a, word_t b) { - a.w &= b.w; - return a; -} +forceinline uint8_t OR8(uint8_t a, uint8_t b) { return a | b; } -forceinline word_t KEYROT(word_t lo2hi, word_t hi2lo) { - return (word_t){.w = lo2hi.w << 32 | hi2lo.w >> 32}; +forceinline uint64_t KEYROT(uint64_t lo2hi, uint64_t hi2lo) { + return lo2hi << 32 | hi2lo >> 32; } -forceinline int NOTZERO(word_t a, word_t b) { - uint64_t result = a.w | b.w; +forceinline int NOTZERO(uint64_t a, uint64_t b) { + uint64_t result = a | b; result |= result >> 32; result |= result >> 16; result |= result >> 8; return ((((int)(result & 0xff) - 1) >> 8) & 1) - 1; } -forceinline word_t PAD(int i) { return WORD_T(0x80ull << (56 - 8 * i)); } +forceinline uint64_t PAD(int i) { return 0x80ull << (56 - 8 * i); } -forceinline uint64_t MASK(int n) { +forceinline uint64_t PRFS_MLEN(uint64_t len) { return len << 51; } + +forceinline uint64_t CLEAR(uint64_t w, int n) { /* undefined for n == 0 */ - return ~0ull >> (64 - 8 * n); + uint64_t mask = ~0ull >> (8 * n); + return w & mask; } -forceinline word_t CLEAR(word_t w, int n) { +forceinline uint64_t MASK(int n) { /* undefined for n == 0 */ - uint64_t mask = 0x00ffffffffffffffull >> (n * 8 - 8); - return AND(w, WORD_T(mask)); + return ~0ull >> (64 - 8 * n); } -forceinline word_t LOAD(const uint8_t* bytes, int n) { +forceinline uint64_t LOAD(const uint8_t* bytes, int n) { uint64_t x = *(uint64_t*)bytes & MASK(n); - return U64TOWORD(U64BIG(x)); + return U64TOWORD(x); } -forceinline void STORE(uint8_t* bytes, word_t w, int n) { - uint64_t x = WORDTOU64(w); +forceinline void STORE(uint8_t* bytes, uint64_t w, int n) { *(uint64_t*)bytes &= ~MASK(n); - *(uint64_t*)bytes |= U64BIG(x); + *(uint64_t*)bytes |= WORDTOU64(w); } -forceinline word_t LOADBYTES(const uint8_t* bytes, int n) { +forceinline uint64_t LOADBYTES(const uint8_t* bytes, int n) { uint64_t x = 0; - for (int i = 0; i < n; ++i) ((uint8_t*)&x)[7 - i] = bytes[i]; + memcpy(&x, bytes, n); return U64TOWORD(x); } -forceinline void STOREBYTES(uint8_t* bytes, word_t w, int n) { +forceinline void STOREBYTES(uint8_t* bytes, uint64_t w, int n) { uint64_t x = WORDTOU64(w); - for (int i = 0; i < n; ++i) bytes[i] = ((uint8_t*)&x)[7 - i]; + memcpy(bytes, &x, n); } #endif /* WORD_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/api.h index 017428a..085b24c 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/api.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/api.h @@ -1,4 +1,4 @@ -#define CRYPTO_VERSION "1.2.5" +#define CRYPTO_VERSION "1.2.6" #define CRYPTO_KEYBYTES 20 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 16 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/ascon.h index c998868..78a7c27 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/ascon.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/ascon.h @@ -4,7 +4,7 @@ #include typedef struct { - uint64_t x0, x1, x2, x3, x4; + uint64_t x[5]; } state_t; -#endif /* ASCON_H */ +#endif /* ASCON_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/constants.h b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/constants.h new file mode 100644 index 0000000..dc3d36d --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/constants.h @@ -0,0 +1,87 @@ +#ifndef CONSTANTS_H_ +#define CONSTANTS_H_ + +#include + +#define ASCON_128_KEYBYTES 16 +#define ASCON_128A_KEYBYTES 16 +#define ASCON_80PQ_KEYBYTES 20 + +#define ASCON_128_RATE 8 +#define ASCON_128A_RATE 16 +#define ASCON_HASH_RATE 8 +#define ASCON_PRF_IN_RATE 32 +#define ASCON_PRF_OUT_RATE 16 + +#define ASCON_128_PA_ROUNDS 12 +#define ASCON_128_PB_ROUNDS 6 + +#define ASCON_128A_PA_ROUNDS 12 +#define ASCON_128A_PB_ROUNDS 8 + +#define ASCON_HASH_PA_ROUNDS 12 +#define ASCON_HASH_PB_ROUNDS 12 + +#define ASCON_HASHA_PA_ROUNDS 12 +#define ASCON_HASHA_PB_ROUNDS 8 + +#define ASCON_PRF_PA_ROUNDS 12 +#define ASCON_PRF_PB_ROUNDS 12 + +#define ASCON_128_IV \ + (((uint64_t)(ASCON_128_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) + +#define ASCON_128A_IV \ + (((uint64_t)(ASCON_128A_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128A_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128A_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128A_PB_ROUNDS) << 32)) + +#define ASCON_80PQ_IV \ + (((uint64_t)(ASCON_80PQ_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) + +#define ASCON_HASH_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32) | \ + ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) + +#define ASCON_HASHA_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32) | \ + ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) + +#define ASCON_XOF_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32)) + +#define ASCON_XOFA_IV \ + (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32)) + +#define ASCON_PRF_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_PRF_OUT_RATE * 8) << 48) | \ + ((uint64_t)(0x80 | ASCON_PRF_PA_ROUNDS) << 40)) + +#define ASCON_MAC_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(ASCON_PRF_OUT_RATE * 8) << 48) | \ + ((uint64_t)(0x80 | ASCON_PRF_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_PRF_BYTES * 8) << 0)) + +#define ASCON_PRFS_IV \ + (((uint64_t)(CRYPTO_KEYBYTES * 8) << 56) | \ + ((uint64_t)(0x40 | ASCON_PRF_PA_ROUNDS) << 40) | \ + ((uint64_t)(ASCON_PRF_BYTES * 8) << 32)) + +#endif /* CONSTANTS_H_ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/encrypt.c index 0691f61..5fc4669 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/encrypt.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/encrypt.c @@ -24,62 +24,163 @@ int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen, /* initialize */ state_t s; - s.x0 = ASCON_80PQ_IV | K0; - s.x1 = K1; - s.x2 = K2; - s.x3 = N0; - s.x4 = N1; + s.x[0] = ASCON_80PQ_IV | K0; + s.x[1] = K1; + s.x[2] = K2; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); P12(&s); - s.x2 ^= K0; - s.x3 ^= K1; - s.x4 ^= K2; - printstate("initialization", &s); + s.x[2] ^= K0; + s.x[3] ^= K1; + s.x[4] ^= K2; + printstate("init 2nd key xor", &s); if (adlen) { /* full associated data blocks */ while (adlen >= ASCON_128_RATE) { - s.x0 ^= LOADBYTES(ad, 8); + s.x[0] ^= LOADBYTES(ad, 8); + printstate("absorb adata", &s); P6(&s); ad += ASCON_128_RATE; adlen -= ASCON_128_RATE; } /* final associated data block */ - s.x0 ^= LOADBYTES(ad, adlen); - s.x0 ^= PAD(adlen); + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + printstate("pad adata", &s); P6(&s); } /* domain separation */ - s.x4 ^= 1; - printstate("process associated data", &s); + s.x[4] ^= 1; + printstate("domain separation", &s); /* full plaintext blocks */ while (mlen >= ASCON_128_RATE) { - s.x0 ^= LOADBYTES(m, 8); - STOREBYTES(c, s.x0, 8); + s.x[0] ^= LOADBYTES(m, 8); + STOREBYTES(c, s.x[0], 8); + printstate("absorb plaintext", &s); P6(&s); m += ASCON_128_RATE; c += ASCON_128_RATE; mlen -= ASCON_128_RATE; } /* final plaintext block */ - s.x0 ^= LOADBYTES(m, mlen); - STOREBYTES(c, s.x0, mlen); - s.x0 ^= PAD(mlen); + s.x[0] ^= LOADBYTES(m, mlen); + STOREBYTES(c, s.x[0], mlen); + s.x[0] ^= PAD(mlen); c += mlen; - printstate("process plaintext", &s); + printstate("pad plaintext", &s); /* finalize */ - s.x1 ^= K0 << 32 | K1 >> 32; - s.x2 ^= K1 << 32 | K2 >> 32; - s.x3 ^= K2 << 32; + s.x[1] ^= K0 << 32 | K1 >> 32; + s.x[2] ^= K1 << 32 | K2 >> 32; + s.x[3] ^= K2 << 32; + printstate("final 1st key xor", &s); P12(&s); - s.x3 ^= K1; - s.x4 ^= K2; - printstate("finalization", &s); + s.x[3] ^= K1; + s.x[4] ^= K2; + printstate("final 2nd key xor", &s); /* set tag */ - STOREBYTES(c, s.x3, 8); - STOREBYTES(c + 8, s.x4, 8); + STOREBYTES(c, s.x[3], 8); + STOREBYTES(c + 8, s.x[4], 8); return 0; } + +int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen, + unsigned char* nsec, const unsigned char* c, + unsigned long long clen, const unsigned char* ad, + unsigned long long adlen, const unsigned char* npub, + const unsigned char* k) { + (void)nsec; + + if (clen < CRYPTO_ABYTES) return -1; + + /* set plaintext size */ + *mlen = clen - CRYPTO_ABYTES; + + /* load key and nonce */ + const uint64_t K0 = LOADBYTES(k + 0, 4) >> 32; + const uint64_t K1 = LOADBYTES(k + 4, 8); + const uint64_t K2 = LOADBYTES(k + 12, 8); + const uint64_t N0 = LOADBYTES(npub, 8); + const uint64_t N1 = LOADBYTES(npub + 8, 8); + + /* initialize */ + state_t s; + s.x[0] = ASCON_80PQ_IV | K0; + s.x[1] = K1; + s.x[2] = K2; + s.x[3] = N0; + s.x[4] = N1; + printstate("init 1st key xor", &s); + P12(&s); + s.x[2] ^= K0; + s.x[3] ^= K1; + s.x[4] ^= K2; + printstate("init 2nd key xor", &s); + + if (adlen) { + /* full associated data blocks */ + while (adlen >= ASCON_128_RATE) { + s.x[0] ^= LOADBYTES(ad, 8); + printstate("absorb adata", &s); + P6(&s); + ad += ASCON_128_RATE; + adlen -= ASCON_128_RATE; + } + /* final associated data block */ + s.x[0] ^= LOADBYTES(ad, adlen); + s.x[0] ^= PAD(adlen); + printstate("pad adata", &s); + P6(&s); + } + /* domain separation */ + s.x[4] ^= 1; + printstate("domain separation", &s); + + /* full ciphertext blocks */ + clen -= CRYPTO_ABYTES; + while (clen >= ASCON_128_RATE) { + uint64_t c0 = LOADBYTES(c, 8); + STOREBYTES(m, s.x[0] ^ c0, 8); + s.x[0] = c0; + printstate("insert ciphertext", &s); + P6(&s); + m += ASCON_128_RATE; + c += ASCON_128_RATE; + clen -= ASCON_128_RATE; + } + /* final ciphertext block */ + uint64_t c0 = LOADBYTES(c, clen); + STOREBYTES(m, s.x[0] ^ c0, clen); + s.x[0] = CLEARBYTES(s.x[0], clen); + s.x[0] |= c0; + s.x[0] ^= PAD(clen); + c += clen; + printstate("pad ciphertext", &s); + + /* finalize */ + s.x[1] ^= K0 << 32 | K1 >> 32; + s.x[2] ^= K1 << 32 | K2 >> 32; + s.x[3] ^= K2 << 32; + printstate("final 1st key xor", &s); + P12(&s); + s.x[3] ^= K1; + s.x[4] ^= K2; + printstate("final 2nd key xor", &s); + + /* set tag */ + uint8_t t[16]; + STOREBYTES(t, s.x[3], 8); + STOREBYTES(t + 8, s.x[4], 8); + + /* verify tag (should be constant time, check compiler output) */ + int result = 0; + for (int i = 0; i < CRYPTO_ABYTES; ++i) result |= c[i] ^ t[i]; + result = (((result - 1) >> 8) & 1) - 1; + + return result; +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/permutations.h b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/permutations.h index ff5724d..3b9b892 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/permutations.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/permutations.h @@ -4,73 +4,11 @@ #include #include "ascon.h" +#include "constants.h" #include "printstate.h" #include "round.h" -#define ASCON_128_KEYBYTES 16 -#define ASCON_128A_KEYBYTES 16 -#define ASCON_80PQ_KEYBYTES 20 - -#define ASCON_128_RATE 8 -#define ASCON_128A_RATE 16 -#define ASCON_HASH_RATE 8 - -#define ASCON_128_PA_ROUNDS 12 -#define ASCON_128_PB_ROUNDS 6 - -#define ASCON_128A_PA_ROUNDS 12 -#define ASCON_128A_PB_ROUNDS 8 - -#define ASCON_HASH_PA_ROUNDS 12 -#define ASCON_HASH_PB_ROUNDS 12 - -#define ASCON_HASHA_PA_ROUNDS 12 -#define ASCON_HASHA_PB_ROUNDS 8 - -#define ASCON_HASH_BYTES 32 - -#define ASCON_128_IV \ - (((uint64_t)(ASCON_128_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) - -#define ASCON_128A_IV \ - (((uint64_t)(ASCON_128A_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128A_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128A_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128A_PB_ROUNDS) << 32)) - -#define ASCON_80PQ_IV \ - (((uint64_t)(ASCON_80PQ_KEYBYTES * 8) << 56) | \ - ((uint64_t)(ASCON_128_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_128_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_128_PB_ROUNDS) << 32)) - -#define ASCON_HASH_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32) | \ - ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) - -#define ASCON_HASHA_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32) | \ - ((uint64_t)(ASCON_HASH_BYTES * 8) << 0)) - -#define ASCON_XOF_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASH_PA_ROUNDS - ASCON_HASH_PB_ROUNDS) << 32)) - -#define ASCON_XOFA_IV \ - (((uint64_t)(ASCON_HASH_RATE * 8) << 48) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS) << 40) | \ - ((uint64_t)(ASCON_HASHA_PA_ROUNDS - ASCON_HASHA_PB_ROUNDS) << 32)) - static inline void P12(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0xf0); ROUND(s, 0xe1); ROUND(s, 0xd2); @@ -86,7 +24,6 @@ static inline void P12(state_t* s) { } static inline void P8(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0xb4); ROUND(s, 0xa5); ROUND(s, 0x96); @@ -98,7 +35,6 @@ static inline void P8(state_t* s) { } static inline void P6(state_t* s) { - printstate(" permutation input", s); ROUND(s, 0x96); ROUND(s, 0x87); ROUND(s, 0x78); diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.c b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.c index 6cb5f4d..9b03f87 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.c @@ -1,21 +1,32 @@ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "printstate.h" #include #include +#include -void printword(const char* text, const word_t x) { - printf("%s=%016" PRIx64 "\n", text, WORDTOU64(x)); +#ifndef WORDTOU64 +#define WORDTOU64 +#endif + +#ifndef U64BIG +#define U64BIG +#endif + +void printword(const char* text, const uint64_t x) { + printf("%s=%016" PRIx64, text, U64BIG(WORDTOU64(x))); } void printstate(const char* text, const state_t* s) { - printf("%s:\n", text); - printword(" x0", s->x0); - printword(" x1", s->x1); - printword(" x2", s->x2); - printword(" x3", s->x3); - printword(" x4", s->x4); + printf("%s:", text); + for (int i = strlen(text); i < 17; ++i) printf(" "); + printword(" x0", s->x[0]); + printword(" x1", s->x[1]); + printword(" x2", s->x[2]); + printword(" x3", s->x[3]); + printword(" x4", s->x[4]); + printf("\n"); } #endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.h b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.h index 77fc246..8b95b06 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/printstate.h @@ -1,12 +1,12 @@ #ifndef PRINTSTATE_H_ #define PRINTSTATE_H_ -#ifdef ASCON_PRINTSTATE +#ifdef ASCON_PRINT_STATE #include "ascon.h" #include "word.h" -void printword(const char* text, const word_t x); +void printword(const char* text, const uint64_t x); void printstate(const char* text, const state_t* s); #else diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/round.h b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/round.h index 64ad619..879e895 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/round.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/round.h @@ -5,36 +5,36 @@ #include "printstate.h" static inline uint64_t ROR(uint64_t x, int n) { - return (x << (64 - n)) | (x >> n); + return x >> n | x << (-n & 63); } static inline void ROUND(state_t* s, uint8_t C) { state_t t; /* addition of round constant */ - s->x2 ^= C; + s->x[2] ^= C; /* printstate(" round constant", s); */ /* substitution layer */ - s->x0 ^= s->x4; - s->x4 ^= s->x3; - s->x2 ^= s->x1; + s->x[0] ^= s->x[4]; + s->x[4] ^= s->x[3]; + s->x[2] ^= s->x[1]; /* start of keccak s-box */ - t.x0 = s->x0 ^ (~s->x1 & s->x2); - t.x1 = s->x1 ^ (~s->x2 & s->x3); - t.x2 = s->x2 ^ (~s->x3 & s->x4); - t.x3 = s->x3 ^ (~s->x4 & s->x0); - t.x4 = s->x4 ^ (~s->x0 & s->x1); + t.x[0] = s->x[0] ^ (~s->x[1] & s->x[2]); + t.x[1] = s->x[1] ^ (~s->x[2] & s->x[3]); + t.x[2] = s->x[2] ^ (~s->x[3] & s->x[4]); + t.x[3] = s->x[3] ^ (~s->x[4] & s->x[0]); + t.x[4] = s->x[4] ^ (~s->x[0] & s->x[1]); /* end of keccak s-box */ - t.x1 ^= t.x0; - t.x0 ^= t.x4; - t.x3 ^= t.x2; - t.x2 = ~t.x2; + t.x[1] ^= t.x[0]; + t.x[0] ^= t.x[4]; + t.x[3] ^= t.x[2]; + t.x[2] = ~t.x[2]; /* printstate(" substitution layer", &t); */ /* linear diffusion layer */ - s->x0 = t.x0 ^ ROR(t.x0, 19) ^ ROR(t.x0, 28); - s->x1 = t.x1 ^ ROR(t.x1, 61) ^ ROR(t.x1, 39); - s->x2 = t.x2 ^ ROR(t.x2, 1) ^ ROR(t.x2, 6); - s->x3 = t.x3 ^ ROR(t.x3, 10) ^ ROR(t.x3, 17); - s->x4 = t.x4 ^ ROR(t.x4, 7) ^ ROR(t.x4, 41); + s->x[0] = t.x[0] ^ ROR(t.x[0], 19) ^ ROR(t.x[0], 28); + s->x[1] = t.x[1] ^ ROR(t.x[1], 61) ^ ROR(t.x[1], 39); + s->x[2] = t.x[2] ^ ROR(t.x[2], 1) ^ ROR(t.x[2], 6); + s->x[3] = t.x[3] ^ ROR(t.x[3], 10) ^ ROR(t.x[3], 17); + s->x[4] = t.x[4] ^ ROR(t.x[4], 7) ^ ROR(t.x[4], 41); printstate(" round output", s); } diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/word.h b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/word.h index 4af47e3..3157950 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/ref/word.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/ref/word.h @@ -2,11 +2,9 @@ #define WORD_H_ #include +#include -#define WORDTOU64 -#define U64TOWORD - -typedef uint64_t word_t; +typedef uint64_t uint64_t; /* get byte from 64-bit Ascon word */ #define GETBYTE(x, i) ((uint8_t)((uint64_t)(x) >> (56 - 8 * (i)))) diff --git a/ascon/LICENSE b/ascon/LICENSE new file mode 100644 index 0000000..3bbbc1e --- /dev/null +++ b/ascon/LICENSE @@ -0,0 +1,116 @@ +CC0 1.0 Universal + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator and +subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for the +purpose of contributing to a commons of creative, cultural and scientific +works ("Commons") that the public can reliably and without fear of later +claims of infringement build upon, modify, incorporate in other works, reuse +and redistribute as freely as possible in any form whatsoever and for any +purposes, including without limitation commercial purposes. These owners may +contribute to the Commons to promote the ideal of a free culture and the +further production of creative, cultural and scientific works, or to gain +reputation or greater distribution for their Work in part through the use and +efforts of others. + +For these and/or other purposes and motivations, and without any expectation +of additional consideration or compensation, the person associating CC0 with a +Work (the "Affirmer"), to the extent that he or she is an owner of Copyright +and Related Rights in the Work, voluntarily elects to apply CC0 to the Work +and publicly distribute the Work under its terms, with knowledge of his or her +Copyright and Related Rights in the Work and the meaning and intended legal +effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not limited +to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, communicate, + and translate a Work; + + ii. moral rights retained by the original author(s) and/or performer(s); + + iii. publicity and privacy rights pertaining to a person's image or likeness + depicted in a Work; + + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + + v. rights protecting the extraction, dissemination, use and reuse of data in + a Work; + + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation thereof, + including any amended or successor version of such directive); and + + vii. other similar, equivalent or corresponding rights throughout the world + based on applicable law or treaty, and any national implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention of, +applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and +unconditionally waives, abandons, and surrenders all of Affirmer's Copyright +and Related Rights and associated claims and causes of action, whether now +known or unknown (including existing as well as future claims and causes of +action), in the Work (i) in all territories worldwide, (ii) for the maximum +duration provided by applicable law or treaty (including future time +extensions), (iii) in any current or future medium and for any number of +copies, and (iv) for any purpose whatsoever, including without limitation +commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes +the Waiver for the benefit of each member of the public at large and to the +detriment of Affirmer's heirs and successors, fully intending that such Waiver +shall not be subject to revocation, rescission, cancellation, termination, or +any other legal or equitable action to disrupt the quiet enjoyment of the Work +by the public as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason be +judged legally invalid or ineffective under applicable law, then the Waiver +shall be preserved to the maximum extent permitted taking into account +Affirmer's express Statement of Purpose. In addition, to the extent the Waiver +is so judged Affirmer hereby grants to each affected person a royalty-free, +non transferable, non sublicensable, non exclusive, irrevocable and +unconditional license to exercise Affirmer's Copyright and Related Rights in +the Work (i) in all territories worldwide, (ii) for the maximum duration +provided by applicable law or treaty (including future time extensions), (iii) +in any current or future medium and for any number of copies, and (iv) for any +purpose whatsoever, including without limitation commercial, advertising or +promotional purposes (the "License"). The License shall be deemed effective as +of the date CC0 was applied by Affirmer to the Work. Should any part of the +License for any reason be judged legally invalid or ineffective under +applicable law, such partial invalidity or ineffectiveness shall not +invalidate the remainder of the License, and in such case Affirmer hereby +affirms that he or she will not (i) exercise any of his or her remaining +Copyright and Related Rights in the Work or (ii) assert any associated claims +and causes of action with respect to the Work, in either case contrary to +Affirmer's express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + + b. Affirmer offers the Work as-is and makes no representations or warranties + of any kind concerning the Work, express, implied, statutory or otherwise, + including without limitation warranties of title, merchantability, fitness + for a particular purpose, non infringement, or the absence of latent or + other defects, accuracy, or the present or absence of errors, whether or not + discoverable, all to the greatest extent permissible under applicable law. + + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without limitation + any person's Copyright and Related Rights in the Work. Further, Affirmer + disclaims responsibility for obtaining any necessary consents, permissions + or other rights required for any use of the Work. + + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to this + CC0 or use of the Work. + +For more information, please see + \ No newline at end of file diff --git a/ascon/README.md b/ascon/README.md new file mode 100644 index 0000000..a997abe --- /dev/null +++ b/ascon/README.md @@ -0,0 +1,407 @@ +# Reference, optimized, masked C and ASM implementations of Ascon + +Ascon is a family of lightweight cryptographic algorithms and consists of: +- Authenticated encryption schemes with associated data (AEAD) +- Hash functions (HASH) and extendible output functions (XOF) +- Pseudo-random functions (PRF) and message authentication codes (MAC) + +All implementations use the "ECRYPT Benchmarking of Cryptographic Systems (eBACS)" interface: + +- https://bench.cr.yp.to/call-aead.html for AEAD (Ascon-128, Ascon-128a, Ascon-80pq) +- https://bench.cr.yp.to/call-hash.html for HASH and XOF (Ascon-Hash, Ascon-Hasha, Ascon-Xof, Ascon-Xofa) +- https://nacl.cr.yp.to/auth.html for PRF and MAC (Ascon-Mac, Ascon-Prf, Ascon-PrfShort) + +For more information on Ascon visit: https://ascon.iaik.tugraz.at/ + + +## Algorithms + +This repository contains implementations of the following 10 Ascon v1.2 algorithms: + +- `crypto_aead/ascon128v12`: Ascon-128 +- `crypto_aead/ascon128av12`: Ascon-128a +- `crypto_aead/ascon80pqv12`: Ascon-80pq +- `crypto_hash/asconhashv12`: Ascon-Hash +- `crypto_hash/asconhashav12`: Ascon-Hasha +- `crypto_hash/asconxofv12`: Ascon-Xof +- `crypto_hash/asconxofav12`: Ascon-Xofa +- `crypto_auth/asconmacv12`: Ascon-Mac +- `crypto_auth/asconprfv12`: Ascon-Prf +- `crypto_auth/asconprfsv12`: Ascon-PrfShort + +We also provide two combined algorithm implementations supporting both AEAD and +hashing: + +- `crypto_aead_hash/asconv12`: Ascon-128 combined with Ascon-Hash +- `crypto_aead_hash/asconav12`: Ascon-128a combined with Ascon-Hasha + +The following algorithms demonstrate the performance improvement of Ascon on +32-bit platforms without bit interleaving overhead. Bit interleaving could be +performed externally on the host side or using a dedicated instruction (e.g. +using the ARM Custom Datapath Extension). Note that a similar performance +improvement could be achieved using funnel shift instructions (available on some +32-bit RISC-V extensions). + +- `crypto_aead/ascon128bi32v12`: Ascon-128 (+17% on ARM1176JZF-S) +- `crypto_aead/ascon128abi32v12`: Ascon-128a (+23% on ARM1176JZF-S) +- `crypto_hash/asconhashbi32v12`: Ascon-Hash (+5% on ARM1176JZF-S) +- `crypto_hash/asconhashabi32v12`: Ascon-Hasha (+8% on ARM1176JZF-S) +- `crypto_aead_hash/asconbi32v12`: Ascon-128 combined with Ascon-Hash +- `crypto_aead_hash/asconabi32v12`: Ascon-128a combined with Ascon-Hasha + + +## Implementations + +For most algorithms, we provide the following pure C implementations: + +- `ref`: reference implementation +- `opt64`: 64-bit speed-optimized +- `opt32`: 32-bit speed-optimized +- `opt64_lowsize`: 64-bit size-optimized +- `opt32_lowsize`: 32-bit size-optimized +- `bi32`: 32-bit speed-optimized bit-interleaved +- `bi32_lowreg`: 32-bit speed-optimized bit-interleaved (low register usage) +- `bi32_lowsize`: 32-bit size-optimized bit-interleaved +- `esp32`: 32-bit ESP32 optimized +- `opt8`: 8-bit optimized +- `bi8`: 8-bit optimized bit-interleaved + +the following C with inline ASM implementations: + +- `avx512`: 320-bit speed-optimized AVX512 +- `neon`: 64-bit speed-optimized ARM NEON +- `armv6`: 32-bit speed-optimized ARMv6 +- `armv6m`: 32-bit speed-optimized ARMv6-M +- `armv7m`: 32-bit speed-optimized ARMv7-M +- `armv6_lowsize`: 32-bit size-optimized ARMv6 +- `armv6m_lowsize`: 32-bit size-optimized ARMv6-M +- `armv7m_lowsize`: 32-bit size-optimized ARMv7-M +- `armv7m_small`: 32-bit small speed-optimized ARMv7-M +- `bi32_armv6`: 32-bit speed-optimized bit-interleaved ARMv6 +- `bi32_armv6m`: 32-bit speed-optimized bit-interleaved ARMv6-M +- `bi32_armv7m`: 32-bit speed-optimized bit-interleaved ARMv7-M +- `bi32_armv7m_small`: 32-bit small bit-interleaved ARMv7-M + +the following ASM implementations: + +- `asm_esp32`: 32-bit optimized funnel-shift ESP32 +- `asm_rv32i`: 32-bit optimized RV32I (base instructions) +- `asm_rv32b`: 32-bit optimized RV32B (bitmanip Zbb) +- `asm_fsr_rv32b`: 32-bit optimized funnel-shift RV32B (bitmanip ZbbZbt) +- `asm_bi32_rv32b`: 32-bit optimized bit-interleaved RV32B (bitmanip ZbbZbp) + +and the following high-level masked (shared) C with inline ASM implementations: + +- `protected_bi32_armv6`: 32-bit masked bit-interleaved ARMv6 +- `protected_bi32_armv6_leveled`: 32-bit masked and leveled bit-interleaved ARMv6 + +The masked C implementations can be used as a starting point to generate +device specific C/ASM implementations. Note that the masked C implementations +require a minimum amount of ASM instructions. Otherwise, the compiler may +heavily optimize the code and even combine shares. Obviously, the output +generated is very sensitive to compiler and environment changes and any +generated output needs to be security evaluated. A preliminary evaluation of +these implementations has been performed on some +[ChipWhisperer](https://www.newae.com/chipwhisperer) devices. The setup and +preliminary results can found at: https://github.com/ascon/simpleserial-ascon + + +# Performance results on different CPUs in cycles per byte + +## Ascon-128 and Ascon-80pq + +| Message Length in Bytes | 1 | 8 | 16 | 32 | 64 | 1536 | long | +|:-------------------------|-----:|-----:|-----:|-----:|-----:|-----:|-----:| +| AMD Ryzen 7 1700\* | | | | | 14.5 | 8.8 | 8.6 | +| Intel Xeon E5-2609 v4\* | | | | | 17.3 | 10.8 | 10.5 | +| Cortex-A53 (ARMv8)\* | | | | | 18.3 | 11.3 | 11.0 | +| Intel Core i5-6300U | 367 | 58 | 35 | 23 | 17.6 | 11.9 | 11.4 | +| Intel Core i5-4200U | 521 | 81 | 49 | 32 | 23.9 | 16.2 | 15.8 | +| Cortex-A15 (ARMv7)\* | | | | | 69.8 | 36.2 | 34.6 | +| Cortex-A7 (NEON) | 2182 | 249 | 148 | 97 | 71.7 | 47.5 | 46.5 | +| Cortex-A7 (ARMv7) | 1871 | 292 | 175 | 115 | 86.6 | 58.3 | 57.2 | +| ARM1176JZF-S (ARMv6) | 1921 | 277 | 167 | 112 | 83.7 | 57.2 | 56.8 | + + +## Ascon-128a + +| Message Length in Bytes | 1 | 8 | 16 | 32 | 64 | 1536 | long | +|:-------------------------|-----:|-----:|-----:|-----:|-----:|-----:|-----:| +| AMD Ryzen 7 1700\* | | | | | 12.0 | 6.0 | 5.7 | +| Intel Xeon E5-2609 v4\* | | | | | 14.1 | 7.3 | 6.9 | +| Cortex-A53 (ARMv8)\* | | | | | 15.1 | 7.6 | 7.3 | +| Intel Core i5-6300U | 365 | 47 | 31 | 19 | 13.5 | 8.0 | 7.8 | +| Intel Core i5-4200U | 519 | 67 | 44 | 27 | 18.8 | 11.0 | 10.6 | +| Cortex-A15 (ARMv7)\* | | | | | 60.3 | 25.3 | 23.8 | +| Cortex-A7 (NEON) | 2204 | 226 | 132 | 82 | 55.9 | 31.7 | 30.7 | +| Cortex-A7 (ARMv7) | 1911 | 255 | 161 | 102 | 71.3 | 42.3 | 41.2 | +| ARM1176JZF-S (ARMv6) | 1908 | 235 | 156 | 99 | 70.4 | 43.0 | 42.9 | + + +## Ascon-Hash and Ascon-Xof + +| Message Length in Bytes | 1 | 8 | 16 | 32 | 64 | 1536 | long | +|:-------------------------|-----:|-----:|-----:|-----:|------:|-----:|-----:| +| Intel Core i5-6300U | 747 | 114 | 69 | 46 | 34.2 | 23.2 | 23.1 | +| Intel Core i5-4200U | 998 | 153 | 92 | 61 | 45.5 | 30.9 | 30.7 | +| ARM1176JZF-S (ARMv6) | 3051 | 462 | 277 | 184 | 137.3 | 92.6 | 92.2 | + + +## Ascon-Hasha and Ascon-Xofa + +| Message Length in Bytes | 1 | 8 | 16 | 32 | 64 | 1536 | long | +|:-------------------------|-----:|-----:|-----:|-----:|------:|-----:|-----:| +| Intel Core i5-6300U | 550 | 83 | 49 | 33 | 23.7 | 15.6 | 15.5 | +| Intel Core i5-4200U | 749 | 112 | 67 | 44 | 31.8 | 20.8 | 20.7 | +| ARM1176JZF-S (ARMv6) | 2390 | 356 | 211 | 138 | 100.7 | 65.7 | 65.3 | + + +## Ascon-Mac and Ascon-Prf + +| Message Length in Bytes | 1 | 8 | 16 | 32 | 64 | 1536 | long | +|:-------------------------|-----:|-----:|-----:|-----:|-----:|-----:|-----:| +| Intel Core i5-6300U | 369 | 46 | 24 | 18 | 11.7 | 6.4 | 6.3 | +| Intel Core i5-4200U | 506 | 63 | 32 | 24 | 16.2 | 8.8 | 8.7 | +| ARM1176JZF-S (ARMv6) | 1769 | 223 | 117 | 85 | 57.5 | 31.9 | 31.6 | + + +## Ascon-PrfShort + +| Message Length in Bytes | 1 | 8 | 16 | 32 | 64 | 1536 | long | +|:-------------------------|-----:|-----:|-----:|-----:|-----:|-----:|-----:| +| Intel Core i5-6300U | 185 | 23 | 12 | - | - | - | - | +| Intel Core i5-4200U | 257 | 33 | 17 | - | - | - | - | +| ARM1176JZF-S (ARMv6) | 1057 | 132 | 69 | - | - | - | - | + +\* Results taken from eBACS: http://bench.cr.yp.to/ + + +# Build and test + +Build and test all Ascon C targets using performance flags: + +``` +mkdir build && cd build +cmake .. +cmake --build . +ctest +``` + + +Build and test all Ascon C targets on Windows: + +``` +mkdir build && cd build +cmake .. +cmake --build . --config Release +ctest -C Release +``` + + +Build and test all Ascon C targets using NIST flags and sanitizers: + +``` +mkdir build && cd build +cmake .. -DCMAKE_BUILD_TYPE=Debug +cmake --build . +ctest +``` + +Manually set the compiler and compiler flags. + +``` +mkdir build && cd build +cmake .. -DCMAKE_C_COMPILER=clang -DREL_FLAGS="-O2;-fomit-frame-pointer;-march=native;-mtune=native" +cmake --build . +ctest +``` + +Build and run only specific algorithms, implementations and tests: + +``` +mkdir build && cd build +cmake .. -DALG_LIST="ascon128;asconhash" -DIMPL_LIST="opt64;bi32" -DTEST_LIST="genkat" +cmake --build . +ctest +``` + +Note that cmake stores variables in a cache. Therefore, variables can be set +one-by-one, unset using e.g. `cmake . -UIMPL_LIST` and shown using `cmake . -L`: + +``` +mkdir build && cd build +cmake .. +cmake . -DALG_LIST="ascon128;asconhash" +cmake . -DIMPL_LIST="opt64;bi32" +cmake . -DTEST_LIST="genkat" +cmake . -L +cmake --build . +ctest +``` + +Cross compile and test with custom emulator using e.g. `qemu-arm`: + +``` +mkdir build && cd build +cmake .. -DCMAKE_C_COMPILER="arm-linux-gnueabi-gcc" \ + -DREL_FLAGS="-O2;-fomit-frame-pointer;-march=armv7;-mtune=cortex-m4" \ + -DEMULATOR="qemu-arm;-L;/usr/arm-linux-gnueabi" \ + -DALG_LIST="ascon128;ascon128a" -DIMPL_LIST="armv7m;bi32_armv7m" +cmake --build . +ctest +``` + +or using Intel SDE (use full path to `sde` or add to path variable): + +``` +mkdir build && cd build +cmake .. -DCMAKE_C_COMPILER=gcc -DIMPL_LIST=avx512 -DEMULATOR="sde;--" \ + -DREL_FLAGS="-O2;-fomit-frame-pointer;-march=icelake-client" +cmake --build . +ctest +``` + + +# Build and benchmark: + +Build the getcycles test: + +``` +mkdir build && cd build +cmake .. -DALG_LIST="ascon128;asconhash" -DIMPL_LIST="opt32;opt32_lowsize" -DTEST_LIST="getcycles" +cmake --build . +``` + +Get the CPU cycle performance: + +``` +./getcycles_crypto_aead_ascon128v12_opt32 +./getcycles_crypto_aead_ascon128v12_opt32_lowsize +./getcycles_crypto_hash_asconhashv12_opt32 +./getcycles_crypto_hash_asconhashv12_opt32_lowsize +``` + +Get the implementation size: + +``` +size -t libcrypto_aead_ascon128v12_opt32.a +size -t libcrypto_aead_ascon128v12_opt32_lowsize.a +size -t libcrypto_hash_asconhashv12_opt32.a +size -t libcrypto_hash_asconhashv12_opt32_lowsize.a +``` + + +# Manually build and run a single Ascon target: + +Build example for AEAD algorithms: + +``` +gcc -march=native -O3 -Icrypto_aead/ascon128v12/opt64 crypto_aead/ascon128v12/opt64/*.c -Itests tests/genkat_aead.c -o genkat +gcc -march=native -O3 -Icrypto_aead/ascon128v12/opt64 crypto_aead/ascon128v12/opt64/*.c -DCRYPTO_AEAD -Itests tests/getcycles.c -o getcycles +``` + +Build example for HASH algorithms: + +``` +gcc -march=native -O3 -Icrypto_hash/asconhashv12/opt64 crypto_hash/asconhashv12/opt64/*.c -Itests tests/genkat_hash.c -o genkat +gcc -march=native -O3 -Icrypto_hash/asconhashv12/opt64 crypto_hash/asconhashv12/opt64/*.c -DCRYPTO_HASH -Itests tests/getcycles.c -o getcycles +``` + +Generate KATs and get CPU cycles: + +``` +./genkat +./getcycles +``` + + +# Benchmarking + +## Hints to get more reliable getcycles results on Intel/AMD CPUs: + +* Determine the processor base frequency (also called design frequency): + - e.g. using the Intel/AMD website + - or using `lscpu` listed under model name + +* Disable turbo boost (this should lock the frequency to the next value + below the processor base frequency): + ``` + echo 1 | sudo tee /sys/devices/system/cpu/intel_pstate/no_turbo + ``` + +* If the above does not work, manually set the frequency using e.g. `cpufreq-set`. + +* Determine the actual frequency (under load): + - e.g. by watching the frequency using `lscpu` or `cpufreq-info` + +* Determine the scaling factor between the actual and base frequency: + - factor = actual frequency / base frequency + +* Run a getcycles program using the frequency factor and watch the results: + ``` + while true; do ./getcycles_crypto_aead_ascon128v12_opt64 $factor; done + ``` + +* Run the `benchmark-getcycles.sh` script with the frequency factor and a + specific algorithm to benchmark all corresponding getcycles implementations: + ``` + ./benchmark-getcycles.sh $factor ascon128 + ``` + + +## Hints to activate the performance monitor unit (PMU) on ARM CPUs: + +* First try to install `linux-tools` and see if it works. + +* On many ARM platforms, the PMU has to be enabled using a kernel module: + - Source code for Armv6 (32-bit): + + - Source code for Armv7 (32-bit): + + - Source code for Armv8/Aarch64 (64-bit): + + +* Steps to compile the kernel module on the raspberry pi: + - Find out the kernel version using `uname -a` + - Download the kernel header files, e.g. `raspberrypi-kernel-header` + - Download the source code for the Armv6 kernel module + - Build, install and load the kernel module + + +## Benchmark Ascon v1.2 using supercop + +Download supercop according to the website: http://bench.cr.yp.to/supercop.html + +To test only Ascon, just run the following commands: + +``` +./do-part init +./do-part crypto_aead ascon128v12 +./do-part crypto_aead ascon128av12 +./do-part crypto_aead ascon80pqv12 +./do-part crypto_hash asconhashv12 +./do-part crypto_hash asconxofv12 +``` + + +## Evaluate and optimize Ascon on constraint devices: + +* The ascon-c code allows to set compile-time parameters `ASCON_INLINE_MODE` + (IM), `ASCON_INLINE_PERM` (IP), `ASCON_UNROLL_LOOPS` (UL), `ASCON_INLINE_BI` + (IB), via command line or in the `crypto_*/ascon*/*/config.h` files. +* Use the `benchmark-config.sh` script to evaluate all combinations of these + parameters for a given list of Ascon implementations. The script is called + with an output file, frequency factor, the algorithm, and the list of + implementations to test: + ``` + ./benchmark-config.sh results-config.md $factor ascon128 ref opt64 opt64_lowsize + ``` +* The `results-config.md` file then contains a markup table with size and cycles + for each implementation and parameter set to evaluate several time-area + trade-offs. +* The `benchmark-all.sh` and `benchmark-size.sh` scripts provides a time/size + and size-only table of all currently compiled implementations: + ``` + ./benchmark-all.sh results-all.md + ./benchmark-size.sh results-size.md + ``` diff --git a/ascon/genkat.cmake b/ascon/genkat.cmake new file mode 100644 index 0000000..99dcfe8 --- /dev/null +++ b/ascon/genkat.cmake @@ -0,0 +1,55 @@ +# setup KAT file name +if(${ALG} STREQUAL ascon128v12 OR ${ALG} STREQUAL ascon128av12 OR + ${ALG} STREQUAL ascon128bi32v12 OR ${ALG} STREQUAL ascon128abi32v12) + set(KAT_PATH crypto_aead/${ALG}) + set(KAT_FILE LWC_AEAD_KAT_128_128.txt) +elseif(${ALG} STREQUAL ascon80pqv12) + set(KAT_PATH crypto_aead/${ALG}) + set(KAT_FILE LWC_AEAD_KAT_160_128.txt) +elseif(${ALG} STREQUAL asconhashv12 OR ${ALG} STREQUAL asconhashav12 OR + ${ALG} STREQUAL asconhashbi32v12 OR ${ALG} STREQUAL asconhashabi32v12 OR + ${ALG} STREQUAL asconxofv12 OR ${ALG} STREQUAL asconxofav12) + set(KAT_PATH crypto_hash/${ALG}) + set(KAT_FILE LWC_HASH_KAT_256.txt) +elseif((${ALG} STREQUAL asconv12 OR ${ALG} STREQUAL asconav12 OR + ${ALG} STREQUAL asconbi32v12 OR ${ALG} STREQUAL asconabi32v12) AND + ${CRYPTO} STREQUAL aead) + set(KAT_PATH crypto_aead_hash/${ALG}) + set(KAT_FILE LWC_AEAD_KAT_128_128.txt) +elseif((${ALG} STREQUAL asconv12 OR ${ALG} STREQUAL asconav12 OR + ${ALG} STREQUAL asconbi32v12 OR ${ALG} STREQUAL asconabi32v12) AND + ${CRYPTO} STREQUAL hash) + set(KAT_PATH crypto_aead_hash/${ALG}) + set(KAT_FILE LWC_HASH_KAT_256.txt) +elseif(${ALG} STREQUAL asconprfv12 OR ${ALG} STREQUAL asconmacv12 OR + ${ALG} STREQUAL asconprfsv12) + set(KAT_PATH crypto_auth/${ALG}) + set(KAT_FILE LWC_AUTH_KAT_128_128.txt) +else() + message(FATAL_ERROR "KAT file name not defined for algorithm ${ALG}.") +endif() + +# prepend emulator and add config +if(EXISTS ${BIN_DIR}/${CONFIG}) + set(CMD "${EMULATOR} ${BIN_DIR}/${CONFIG}/${EXE_NAME}") +else() + set(CMD "${EMULATOR} ${BIN_DIR}/${EXE_NAME}") +endif() + +# first entry is command (emulator or native command) +separate_arguments(CMDLIST NATIVE_COMMAND ${CMD}) +list(GET CMDLIST 0 CMD) +list(REMOVE_AT CMDLIST 0) + +# remove previous and generate new KAT file +file(REMOVE ${BIN_DIR}/${KAT_FILE}) +execute_process(COMMAND ${CMD} ${CMDLIST}) +configure_file(${BIN_DIR}/${KAT_FILE} ${BIN_DIR}/${KAT_FILE} NEWLINE_STYLE LF) + +# compare KAT files +execute_process(COMMAND ${CMAKE_COMMAND} -E compare_files + ${BIN_DIR}/${KAT_FILE} ${SRC_DIR}/${KAT_PATH}/${KAT_FILE} + RESULT_VARIABLE COMPARE_RESULT) +if(${COMPARE_RESULT}) + message(FATAL_ERROR "KAT files are not identical.") +endif() -- libgit2 0.26.0